Hello all, I am new to this mailing list, so please forgive me if I do not adhere to established processes. I promise to learn as we go on :-) The issue I would like to bring up is that of database security, namely, the fact that the database is completely accessible by anyone. Why do I propose that this is a problem? Let us, for the sake of this example, consider two fictive companies, NetISP and ISPNet. Both are ISP's, and they compete over market share in their country. As you are aware, a full customer list is considered very useful information in industrial espionage in this field, something that one company would most certainly not want to reveal to the other. Yet, with the RIPE DB open for prying eyes, both ISPs could easily gain this info. Alright, you say, so what? Both suffer from the same disadvantage, right? Well, not really. Following are just two scenarios I cooked up to explain why: 1) NetISP has been in the market for four years. ISPNet is new, and is interested primarily in market share. Since this is their focus, being new, they can allow themselves the luxury of selling at losing prices, in an effort to establish a market share. Looking at the RIPE DB, they can immediately find all the customers of NetISP, and try to "steal" them away. NetISP, however, has no such option. 2) NetISP got RIPE allocations, while ISPNet got other allocations. Why? It happens. In Israel, for example, the range 192.114.0.0-192.118.255.255 can be allocated without having to update the RIPE DB. Assume for a moment that NetISP have RIPE allocated IPs, while ISPNet have those "special" IPs. Only the latter will be able to check on the former. Again NetISP will lose. I suggest that some security feature be added to the database. Maybe hide some fields with a password, or make the retrieval utility more secure. There is a serious business problem here that I feel needs to be resolved. Many 10x, Sincerely, \'"'/ Barak Engel ( o o ) ---------------------ooOO-^-oOOo--------------------------- barak@netvision.net.il Network Expert BE-RIPE BE174 Phone/Fax: +972 48 560600/551132 Cellular: +972 50 469 341 -----------------------------------------------------------
Hi, On Mon, Jan 04, 1999 at 05:22:02PM +0200, Barak Engel wrote:
I suggest that some security feature be added to the database.
Lets discuss, what measures should be taken to circumvent the situation you describe. I can see the problem from two different point of views: 1) Yours. Then we have to close the database down, to a bare documentation-tool for IP-Nets, accessible only by the registries. 2) Mine. I need the database to track technical problems and people who are able to solve them. (hopefully, this view is shared by most of the people here ;)) The security mechanism, which is in place, is not technical, it is just organisational. There is a copyright on the database. The uses, you describe, are forbidden by this copyright. If someone violates this copyright, at least in Germany there are other measures to forbid such a use of the database. Greetings, Jens Hoffmann -- -------------------------------------------------- http://www.ivm.net/ ----- | \ / |\ /| Internet | IVM GmbH | \ / | \ / | Vernetzung | Zissener Str. 8, D-53498 Waldorf | \ / | \/ | Mehrwertdienste | tel 02636 9769 -110 fax -999 ----------------------------------------------------------------------------
Hi,
Lets discuss, what measures should be taken to circumvent the situation you describe. I can see the problem from two different point of views:
1) Yours. Then we have to close the database down, to a bare documentation-tool for IP-Nets, accessible only by the registries.
Thats not what I said. For example, the DB could only hide specific fields behind a password. For example, the "descr" field which gives away the company name.
2) Mine. I need the database to track technical problems and people who are able to solve them. (hopefully, this view is shared by most of the people here ;))
Including myself. But on the other hand, there is a problem here which, I feel, needs to be addressed. The database structure was implemented in times when the Internet was not so business oriented as it is today. I think that it may need some rethinking to fit the times, so to speak :-)
The security mechanism, which is in place, is not technical, it is just organisational. There is a copyright on the database. The uses, you describe, are forbidden by this copyright.
If someone violates this copyright, at least in Germany there are other measures to forbid such a use of the database.
Well, lucky for you in Germany :-) Seriously, though, there is no way in which you could actually prove, in court, the sort of thing I describe. I am talking from personal experience... *sigh* 10x again, Sincerely, \'"'/ Barak Engel ( o o ) ---------------------ooOO-^-oOOo--------------------------- barak@netvision.net.il Network Expert BE-RIPE BE174 Phone/Fax: +972 48 560600/551132 Cellular: +972 50 469 341 -----------------------------------------------------------
Suppose that I am a "new" ISP in Greece and I want to "steal" some of the market share here. I have two ways: 1- Read the RIPE DB info and find out who the customers are 2- traceroute to major potential customers and find out who the ISPs are I do not think that this is a problem with the RIPE DB. My 0.02 GRD (no Euro here yet ;-) -- Yiorgos Adamopoulos -- #include <std/disclaimer.h> mailto: Y.Adamopoulos@noc.ntua.gr -- Network Operations Center, NTUA, GREECE
Suppose that I am a "new" ISP in Greece and I want to "steal" some of the market share here.
I have two ways:
1- Read the RIPE DB info and find out who the customers are 2- traceroute to major potential customers and find out who the ISPs are
I do not think that this is a problem with the RIPE DB.
Oh, but it is. Think about it. With traceroute, I would need to start tracing all the customer I can think of. This will require a lot of time, AND will be based on my good guess as to which customers belong to that company I am trying to steal customers from. Lots of guesswork, no accuracy guarantee, and days of work. With the RIPE DB, all I need is their AS number. Then I can find the route objects related to it, and then a simple recursive query will give me their full, 100% accurate customer list, with addresses, phone numbers and every info I need (including the size of their network, which could point to the size of the company). No guesswork, 100% accuracy, 15 minute work. :-) 10x again, Sincerely, \'"'/ Barak Engel ( o o ) ---------------------ooOO-^-oOOo--------------------------- barak@netvision.net.il Network Expert BE-RIPE BE174 Phone/Fax: +972 48 560600/551132 Cellular: +972 50 469 341 -----------------------------------------------------------
participants (3)
-
Barak Engel -
Jens Hoffmann -
Yiorgos Adamopoulos