Help w rebuttal to University security staff denying zotero
Ho guys,
I have been using zotero for a long time and want to continue using it.
My institution does not want me to use zotero and are favoring Endnote.
Below are excerpts from a recent conversation with our security team.
I wrote to zotero support and got a good reply. I was wondering if this community has any additional suggestions for cogent arguements I can include in my rebuttal
Thank you all.
Me: please clarify what risk you are talking about.
How is storing publicly available PDF files from journals related to security risk and how does using Endnote negates that risk.
Them: Files stored in Zotero are not stored encrypted. Further, I was unable to determine the Security features of Zotero. Security is most likely not a consideration in this software. Without a Contract, we are unable to conduct a Vendor Risk Assessment. It is uncertain whether Codes written for the Zotero software are checked for any vulnerabilities or Backdoors, or whether any of the MDACC Security requirements are met.
Me: Also, please provide supporting information how using zotero increases risk of malware intrusion and infections compared to Endnote.
Them: Zotero allows you to download files and bring back to your desktop on the MDA network. Unsecured Files downloaded are a perfect attack vector that a cyber attacker can use for inserting malware and infiltrating the MDA network via Backdoor, or Code Injection. MDA Research, Intellectual Property and Patient Health Information is at Risk, and is an attractive target for cyber attackers.
The Institution does not encourage additional software, if there is a suitable Application offered by the Institution for use, with similar functionalities.
Me: I would encourage you to please review and understand what zotero is and what purpose it is used for.
Them: I did review Zotero. I could not find security features offered.
Me: This is not about convenience, this is about accuracy.
Them: You mentioned that it is free software and it is easier to use àThat makes it Convenient
Me : Endnote makes more mistakes in generating bibliographic information while zotero is more accurate in this regard. Please see attached literature.
Them: Summary:
The software request for Zotero was sent to Information Security Department for Risk Review.
Zotero is free software - with no contract, no SLA, no Vendor Risk Assessment, no Vendor responsibilities to the Institution.
Free software is an attractive target for cyber attackers. Unencrypted, unsecured Files downloaded can serve as a backdoor for malware code injection, and create an attack vector for cyber criminals. With no Contracts, no SLA, no Vendor Risk Assessments, the inherent Risk to the Institution is High.
As such, Zotero is not Approved.
I have been using zotero for a long time and want to continue using it.
My institution does not want me to use zotero and are favoring Endnote.
Below are excerpts from a recent conversation with our security team.
I wrote to zotero support and got a good reply. I was wondering if this community has any additional suggestions for cogent arguements I can include in my rebuttal
Thank you all.
Me: please clarify what risk you are talking about.
How is storing publicly available PDF files from journals related to security risk and how does using Endnote negates that risk.
Them: Files stored in Zotero are not stored encrypted. Further, I was unable to determine the Security features of Zotero. Security is most likely not a consideration in this software. Without a Contract, we are unable to conduct a Vendor Risk Assessment. It is uncertain whether Codes written for the Zotero software are checked for any vulnerabilities or Backdoors, or whether any of the MDACC Security requirements are met.
Me: Also, please provide supporting information how using zotero increases risk of malware intrusion and infections compared to Endnote.
Them: Zotero allows you to download files and bring back to your desktop on the MDA network. Unsecured Files downloaded are a perfect attack vector that a cyber attacker can use for inserting malware and infiltrating the MDA network via Backdoor, or Code Injection. MDA Research, Intellectual Property and Patient Health Information is at Risk, and is an attractive target for cyber attackers.
The Institution does not encourage additional software, if there is a suitable Application offered by the Institution for use, with similar functionalities.
Me: I would encourage you to please review and understand what zotero is and what purpose it is used for.
Them: I did review Zotero. I could not find security features offered.
Me: This is not about convenience, this is about accuracy.
Them: You mentioned that it is free software and it is easier to use àThat makes it Convenient
Me : Endnote makes more mistakes in generating bibliographic information while zotero is more accurate in this regard. Please see attached literature.
Them: Summary:
The software request for Zotero was sent to Information Security Department for Risk Review.
Zotero is free software - with no contract, no SLA, no Vendor Risk Assessment, no Vendor responsibilities to the Institution.
Free software is an attractive target for cyber attackers. Unencrypted, unsecured Files downloaded can serve as a backdoor for malware code injection, and create an attack vector for cyber criminals. With no Contracts, no SLA, no Vendor Risk Assessments, the inherent Risk to the Institution is High.
As such, Zotero is not Approved.
This is an old discussion that has not been active in a long time. Before commenting here, you should strongly consider starting a new discussion instead. If you think the content of this discussion is still relevant, you can link to it from your new discussion.
Upgrade Storage
https://www.zotero.org/support/security
It doesn't sound like this person has any clue what they're talking about, and they don't sound open to evidence, so if possible I would try to escalate this to someone more knowledgeable and reasonable.
This person is using technical jargon in meaningless ways — e.g., saying that "files stored in Zotero are not stored encrypted". File encryption has no connection to network security, and, regardless, file encryption is typically an OS-level task and isn't something individual programs do, which is why EndNote doesn't either. "Unencrypted, unsecured Files downloaded can serve as a backdoor for malware code injection" is nonsense here — Zotero "downloads files" from sites the same way that you would download a PDF manually in your browser, with the same transport encryption, and all of Zotero's communications with Zotero servers, including software updates, have always been encrypted. "Free software is an attractive target for cyber attackers" is an absurd, evidence-free statement — whether software costs money has no bearing on its security, and probably the largest hack in U.S. history was just perpetrated by targeting enterprise software installed across the federal government and private sector.
Zotero is a leading research tool, recommended by most universities worldwide, created at a major U.S. research university and initially funded by several major philanthropic organizations. It's been around for 15 years, is built by a team of professional software developers, and is funded by a stable services business, with clients including major universities, multinational corporations, and governmental agencies. The code is open-source, allowing it to be publicly audited for security issues (which is not the case for proprietary software), and privacy and security are at the core of its design.
Our security and privacy policies are here:
https://www.zotero.org/support/security
https://www.zotero.org/support/privacy
In particular, the privacy policy documents every single type of network request Zotero makes, the reason for it, and how to turn it off, which is a level of transparency and user control that almost no other software provides. As documented there, Zotero is a local program that stores all data locally by default, and it can be used without syncing data to the cloud.