RIPE DB: disclosure of commertial information
Hi! I have very strange situation. One company I support, an ISP, wants to become a LIR. But they do not want to put information about their clients' assignments into the RIPE DB, because of there is a possibility to steal clients (most of them - major clients) using RIPE DB, and they says that there already was some incidents. Really, you can see RIPE DB for assignments of LIR to have its client list with name of organisation, size (larger client have larger assignment), address, phone, fax, email, and even administrative and technical contact persons. Only you need to do - is to send (or even talk with) better offer addressing it to certain people... What do you think about it? -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
On Thu, 12 May 2005, Max Tulyev wrote:
What do you think about it?
That as of today this is part of the set of rules for the game. And it is the same set of rules for everybody. Wilfried.
president@ukraine.su (Max Tulyev) wrote:
Really, you can see RIPE DB for assignments of LIR to have its client list with name of organisation, size (larger client have larger assignment), address, phone, fax, email, and even administrative and technical contact persons. Only you need to do - is to send (or even talk with) better offer addressing it to certain people...
What do you think about it?
If you can only keep your clients through hiding any information about the connection, you have entirely different problems. Apart from that: The data of every assignment is in the RIPE database so that the actual user can held accountable for what they are doing. Elmar. -- "Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren." (PLemken, <bu6o7e$e6v0p$2@ID-31.news.uni-berlin.de>) --------------------------------------------------------------[ ELMI-RIPE ]---
Quoting "Elmar K. Bins" <elmi@4ever.de>:
If you can only keep your clients through hiding any information about the connection, you have entirely different problems.
Second that. That also gives Your client equal chance to steal customers from other opponents. -- amar
В сообщении от четвер 12 травень 2005 16:19 amar andersson написал(a):
Quoting "Elmar K. Bins" <elmi@4ever.de>:
If you can only keep your clients through hiding any information about the connection, you have entirely different problems.
Second that.
That also gives Your client equal chance to steal customers from other opponents.
Please show me the Russian ISP showing their clients in RIPE DB ;) Most of them don't, as I can see. Most of major clients really are friends and don't change connection to anyone else. But some is just clients just using service - and will switch to others if there will be an [financial] reason. Having addressing database (with contact person, especially technical) there is easy to do this. So it seems to be good for you to share commertial information of ISP, and it should not be secret. Escalating the situation: will we need the connection-price: field in database? Why? -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
On Thu, May 12, 2005 at 04:28:51PM +0400, Max Tulyev wrote: Hello Max,
connection-price: field in database? Why?
If you would like to advertise your pricing in the RIPE database, you can always use the remarks: field.. -- Sabri Berisha, Juniper Certified - JNCIA #747 | Cisco Certified - CCNA email: sabri@cluecentral.net | cell: +31 6 19890416 http://www.cluecentral.net/ | http://www.virt-ix.net/
Hi Max, president@ukraine.su (Max Tulyev) wrote:
Most of major clients really are friends and don't change connection to anyone else. But some is just clients just using service - and will switch to others if there will be an [financial] reason. Having addressing database (with contact person, especially technical) there is easy to do this.
Well, if you have like, say, dialup customers, you may easily set aside a dialup-pool, enter this - registered to yourself (the ISP) - into the RIPE DB, and everything's fine. (Dynamic-IP) Dialup access has always been done with pools; the documentation necessity begins with statically-assigned adresses or networks.
So it seems to be good for you to share commertial information of ISP, and it should not be secret. Escalating the situation: will we need the connection-price: field in database? Why?
I do not know how it is in Russia currently, but in Germany, the cost of an Internet connection is not only experienced through the retail price, but through other factors (services given, support, uptime, quality) as well. If you are on a bargaining market, you might stick to dialup/dynamic access and go the "best practice" I described above. If you want to deliver quality Internet, this quality thing does not only go towards your customer, it has to be brought towards the Internet (here: The RIPE community), too. Elmar. -- "Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren." (PLemken, <bu6o7e$e6v0p$2@ID-31.news.uni-berlin.de>) --------------------------------------------------------------[ ELMI-RIPE ]---
В сообщении от четвер 12 травень 2005 16:55 Elmar K. Bins написал(a):
Well, if you have like, say, dialup customers, you may easily set aside a dialup-pool, enter this - registered to yourself (the ISP) - into the RIPE DB, and everything's fine.
Yes, but it is good for the large group of small customers. But major customers have to have (at least officially must) their assignment into the RIPE DB.
I do not know how it is in Russia currently, but in Germany, the cost of an Internet connection is not only experienced through the retail price, but through other factors (services given, support, uptime, quality) as well. If you are on a bargaining market, you might stick to dialup/dynamic access and go the "best practice" I described above. If you want to deliver quality Internet, this quality thing does not only go towards your customer, it has to be brought towards the Internet (here: The RIPE community), too.
Quality can't be meansured and compared, so everybody says they have the best ;) -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
On Thu, May 12, 2005 at 02:55:10PM +0200, Elmar K. Bins wrote:
Well, if you have like, say, dialup customers, you may easily set aside a dialup-pool, enter this - registered to yourself (the ISP) - into the RIPE DB, and everything's fine.
(Dynamic-IP) Dialup access has always been done with pools; the documentation necessity begins with statically-assigned adresses or networks.
That's more-or-less what we do, the large part of our customers are put in larger assignments which we hold full responsibillity for. Even on the business side although we note the name or a short form of it, we maintain responsible for the block and what they do with it, so unless the customer asks for it and has good reasons, we refer to our own admin-c and tech-c role objects. It's part of our service and I'm pretty interested in any misbehaviour of them, I don't want the customer to use it's own role to advertise his own address as abuse contact. Further, I wonder how many people are actually using the ripe-db for these kind of purposes (stealing customers as you call it), as there are other ways to find out like traceroute, domain registrations vs (secondary) nameservers or even a lookup of the in-addr.arpa zones. The risk is minimal as I see it and it's the rule. So as other people pointed out, if we everybody sticks to the procedure, we are all equal. MarcoH (on a sidenode, I'm referring to PA space here)
* Max Tulyev wrote:
Most of major clients really are friends and don't change connection to anyone else. But some is just clients just using service - and will switch to others if there will be an [financial] reason. Having
Welcome to free market economy.
addressing database (with contact person, especially technical) there is easy to do this.
If your clients are satisfied they won't change their provider. If not they will change anyway, regardles of being listed in RIPE DB or not. So what's the problem at all? --sebastian -- SABT-RIPE PGPKEY-D008DA9C
В сообщении от четвер 12 травень 2005 17:00 Sebastian Abt написал(a):
Welcome to free market economy.
;-)))))
addressing database (with contact person, especially technical) there is easy to do this. If your clients are satisfied they won't change their provider. If not they will change anyway, regardles of being listed in RIPE DB or not. So what's the problem at all?
If my satisfied client will receive a tons of offers from other peoples just because of I show him in open database - it is really good??? Is it really good for me to look up the database and send that offers to others? -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
On Thu, 12 May 2005 17:11:21 +0400 Max Tulyev <president@ukraine.su> wrote:
If my satisfied client will receive a tons of offers from other peoples just because of I show him in open database - it is really good???
Is it really good for me to look up the database and send that offers to others?
I don't think that it's good for you to be a spammer :)) But, if you wish to send UCE to "target auditory", you can also find this "target auditory" from many over sources then RIPE DB.:) If your customer exists in RIPE DB, or if it has meaningfull PTR records on used addresses,it isn't gives someone advantage in stealing this customer from you. -- Gennady Abramov, CCNA, CCNP; Demos-Internet NOC abramov@demos.net, AGV77-RIPE
Hi! New cup of gas on that fire ;) There is new database released: all bank transactions in Russia, IV quarter of 2004 (this is update to exist database from April 2003). It costs only $100 (source: http://top.rbc.ru/index.shtml?/news/policy/2005/05/20/20100238_bod.shtml). You can use it with RIPE DB and even see how much certain client pays for connection...
On Thu, 12 May 2005 17:11:21 +0400
Max Tulyev <president@ukraine.su> wrote:
If my satisfied client will receive a tons of offers from other peoples just because of I show him in open database - it is really good???
Is it really good for me to look up the database and send that offers to others?
I don't think that it's good for you to be a spammer :)) But, if you wish to send UCE to "target auditory", you can also find this "target auditory" from many over sources then RIPE DB.:) If your customer exists in RIPE DB, or if it has meaningfull PTR records on used addresses,it isn't gives someone advantage in stealing this customer from you.
-- С Уважением, Максим Тульев (MT6561-RIPE, 2:463/253@FIDO)
Public records are wonderful, as they gives us ordinary people the possibility to check up on the folks we elect into government :-) But offcourse these could be missused. More importantly you guys should pass some legislation on harvesting public records, for marketing material. I'm no way a legal expert, but that seems more resonable. We got something simmular in Sweden called offentlighetsprincipen. Basicly all material passing a government agency are put in the public records. We could even look up if someone have been convicted of a fellony, and read court documents. And offcourse look up annual income, and get pictures of the person, if he/she applied for a passport. Cheers! --Dennis Lundström GippNET AB, Stockholm Sweden Max Tulyev wrote:
Hi!
New cup of gas on that fire ;)
There is new database released: all bank transactions in Russia, IV quarter of 2004 (this is update to exist database from April 2003). It costs only $100 (source: http://top.rbc.ru/index.shtml?/news/policy/2005/05/20/20100238_bod.shtml). You can use it with RIPE DB and even see how much certain client pays for connection...
On Thu, 12 May 2005 17:11:21 +0400
Max Tulyev <president@ukraine.su> wrote:
If my satisfied client will receive a tons of offers from other peoples just because of I show him in open database - it is really good???
Is it really good for me to look up the database and send that offers to others?
I don't think that it's good for you to be a spammer :)) But, if you wish to send UCE to "target auditory", you can also find this "target auditory" from many over sources then RIPE DB.:) If your customer exists in RIPE DB, or if it has meaningfull PTR records on used addresses,it isn't gives someone advantage in stealing this customer from you.
And, not much of this has to do with address-policy anymore, somehow i feel the term spam coming up in my mind (?) rgds, -- ------ ___ -- Raymond Jetten Raymond.jetten@eunet.fi ----- / / / _ __ _/_ --- tel +358 3 41024139 ---- /-- / / / ) /__/ / ---- EUNet Finland fax +358 3 41024199 --- (___ (___/ / / (__ (_ ----- Tampere, Hermia gsm +358 45 6700139 -- ------ Network Engineer http://www.eunet.fi/ On Fri, 20 May 2005, [UTF-8] Dennis Lundström wrote:
Date: Fri, 20 May 2005 09:57:01 +0200 From: "[UTF-8] Dennis Lundström" <dennis@gippnet.com> To: Max Tulyev <president@ukraine.su> Cc: address-policy-wg@ripe.net Subject: Re: [address-policy-wg] RIPE DB: disclosure of commertial information
Public records are wonderful, as they gives us ordinary people the possibility to check up on the folks we elect into government :-) But offcourse these could be missused. More importantly you guys should pass some legislation on harvesting public records, for marketing material. I'm no way a legal expert, but that seems more resonable.
We got something simmular in Sweden called offentlighetsprincipen. Basicly all material passing a government agency are put in the public records. We could even look up if someone have been convicted of a fellony, and read court documents. And offcourse look up annual income, and get pictures of the person, if he/she applied for a passport.
Cheers!
--Dennis Lundström GippNET AB, Stockholm Sweden
Max Tulyev wrote:
Hi!
New cup of gas on that fire ;)
There is new database released: all bank transactions in Russia, IV quarter of 2004 (this is update to exist database from April 2003). It costs only $100 (source: http://top.rbc.ru/index.shtml?/news/policy/2005/05/20/20100238_bod.shtml). You can use it with RIPE DB and even see how much certain client pays for connection...
On Thu, 12 May 2005 17:11:21 +0400
Max Tulyev <president@ukraine.su> wrote:
If my satisfied client will receive a tons of offers from other peoples just because of I show him in open database - it is really good???
Is it really good for me to look up the database and send that offers to others?
I don't think that it's good for you to be a spammer :)) But, if you wish to send UCE to "target auditory", you can also find this "target auditory" from many over sources then RIPE DB.:) If your customer exists in RIPE DB, or if it has meaningfull PTR records on used addresses,it isn't gives someone advantage in stealing this customer from you.
Max Tulyev wrote:
В сообщении от четвер 12 травень 2005 17:00 Sebastian Abt написал(a):
Welcome to free market economy.
;-)))))
addressing database (with contact person, especially technical) there is easy to do this.
In most countries technical contacts don't decide which ISP to buy connectivity from... (Technical people look for the best, while "management" looks for the price... Technical people have to proof why solution A is better that B and sometimes are ignored anyway)
If your clients are satisfied they won't change their provider. If not they will change anyway, regardles of being listed in RIPE DB or not. So what's the problem at all?
Besides, there are other ways to find the info you want: - dig (nslookup) www.bibgcompany.su -> IP address whois IP address -> you know which ISP's customer the company is - dig (nslookup -type=SOA) bibgcompany.su (SOA) -> E-Mail address of responisble for dns - send mail to info@bigcompany.su ... - Meybe use a phone book and call in? .....
If my satisfied client will receive a tons of offers from other peoples just because of I show him in open database - it is really good???
In western (european?) countries there are trade laws which don't allow address harvesting (especially whois entries and other public data), placing unwanted offers, etc. You always can try to sell your offers however and it may be difficult to proof that others misued whaterver data (e.g. whois records)
Is it really good for me to look up the database and send that offers to others?
I can't see any advantage not place the customers in the whois DB, since there are other ways to find contact to them. Maybe the customers may not wan't to published there for whaterver reasons this might be. Guido
Hello!
In most countries technical contacts don't decide which ISP to buy connectivity from...
But technical peoples are that neck directing the head ;-)
Besides, there are other ways to find the info you want: - dig (nslookup) www.bibgcompany.su -> IP address whois IP address -> you know which ISP's customer the company is - dig (nslookup -type=SOA) bibgcompany.su (SOA) -> E-Mail address of responisble for dns - send mail to info@bigcompany.su ... - Meybe use a phone book and call in?
Ofcource yes. But RIPE DB is amazing tool if an attack directed againist certain ISP.
In western (european?) countries there are trade laws which don't allow address harvesting (especially whois entries and other public data), placing unwanted offers, etc.
Unfortunallly, there is no such laws in eastern one... I found an answer (bugfix?) to my question as using my contacts in assigned block againist using client's one. But I still think that some fields in RIPE DB should be hidden from public access (for example, crypted MD5 password, business sensistive data like clients contacts and maybe other). Like changed: attribute is now. Many other DB's have public and private access now, and it is good. For example, russian domains .ru and .su (RIPN DB) show only contact information for domain owner, and other data like mandatory passport and registration address fields are hidden. -- С Уважением, Максим Тульев (MT6561-RIPE, 2:463/253@FIDO)
Yes indeed. But in the ideal world noone does nasty things. And yes. It would be better If all information was available at any time. Unfortunatly there will allways be people misusing this freedom so to say. So the only option would be to hide some fields from the public whois. But we need to count in, that this will decrease the usability of the DB in general. NIC-se introduced a system some years back where their registrars could log in to a full unrestricted whois. But on the other hand, displaying full info for LIR:s only would be a bit to sadistic. Maybe a sollution would be to bind complete db access to a legal contract, wich needs to be applied for? Best regards. --Dennis Lundström GiPPNET AB, Stockholm Sweden Max Tulyev wrote:
Hello!
In most countries technical contacts don't decide which ISP to buy connectivity from...
But technical peoples are that neck directing the head ;-)
Besides, there are other ways to find the info you want: - dig (nslookup) www.bibgcompany.su -> IP address whois IP address -> you know which ISP's customer the company is - dig (nslookup -type=SOA) bibgcompany.su (SOA) -> E-Mail address of responisble for dns - send mail to info@bigcompany.su ... - Meybe use a phone book and call in?
Ofcource yes. But RIPE DB is amazing tool if an attack directed againist certain ISP.
In western (european?) countries there are trade laws which don't allow address harvesting (especially whois entries and other public data), placing unwanted offers, etc.
Unfortunallly, there is no such laws in eastern one...
I found an answer (bugfix?) to my question as using my contacts in assigned block againist using client's one.
But I still think that some fields in RIPE DB should be hidden from public access (for example, crypted MD5 password, business sensistive data like clients contacts and maybe other). Like changed: attribute is now.
Many other DB's have public and private access now, and it is good. For example, russian domains .ru and .su (RIPN DB) show only contact information for domain owner, and other data like mandatory passport and registration address fields are hidden.
Dennis and all, Dennis Lundström wrote:
Yes indeed. But in the ideal world noone does nasty things. And yes. It would be better If all information was available at any time. Unfortunatly there will allways be people misusing this freedom so to say. So the only option would be to hide some fields from the public whois.
Yes but which fields and why?
But we need to count in, that this will decrease the usability of the DB in general. NIC-se introduced a system some years back where their registrars could log in to a full unrestricted whois. But on the other hand, displaying full info for LIR:s only would be a bit to sadistic.
Why is such sadistic?
Maybe a sollution would be to bind complete db access to a legal contract, wich needs to be applied for?
Bad idea here. More lawyers more problems...
Best regards.
--Dennis Lundström GiPPNET AB, Stockholm Sweden
Max Tulyev wrote:
Hello!
In most countries technical contacts don't decide which ISP to buy connectivity from...
But technical peoples are that neck directing the head ;-)
Besides, there are other ways to find the info you want: - dig (nslookup) www.bibgcompany.su -> IP address whois IP address -> you know which ISP's customer the company is - dig (nslookup -type=SOA) bibgcompany.su (SOA) -> E-Mail address of responisble for dns - send mail to info@bigcompany.su ... - Meybe use a phone book and call in?
Ofcource yes. But RIPE DB is amazing tool if an attack directed againist certain ISP.
In western (european?) countries there are trade laws which don't allow address harvesting (especially whois entries and other public data), placing unwanted offers, etc.
Unfortunallly, there is no such laws in eastern one...
I found an answer (bugfix?) to my question as using my contacts in assigned block againist using client's one.
But I still think that some fields in RIPE DB should be hidden from public access (for example, crypted MD5 password, business sensistive data like clients contacts and maybe other). Like changed: attribute is now.
Many other DB's have public and private access now, and it is good. For example, russian domains .ru and .su (RIPN DB) show only contact information for domain owner, and other data like mandatory passport and registration address fields are hidden.
-- Jeffrey A. Williams Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!) "Be precise in the use of words and expect precision from others" - Pierre Abelard "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. E-Mail jwkckid1@ix.netcom.com Registered Email addr with the USPS Contact Number: 214-244-4827
Hi, Max Tulyev wrote:
Hi!
I have very strange situation.
One company I support, an ISP, wants to become a LIR. But they do not want to put information about their clients' assignments into the RIPE DB, because of there is a possibility to steal clients (most of them - major clients) using RIPE DB, and they says that there already was some incidents.
Really, you can see RIPE DB for assignments of LIR to have its client list with name of organisation, size (larger client have larger assignment), address, phone, fax, email, and even administrative and technical contact persons. Only you need to do - is to send (or even talk with) better offer addressing it to certain people...
What do you think about it?
...that this ISP just should not become a LIR if it doesn't feel like it can fulfil the requirements, like doing Assignments by the book? Actually, i think the ISP got worse problems if they need to hide their customers - most are proud of their more imporatant customers and mention them in big letters on their references webpages to show off. -- ======================================================================== = Sascha Lenz SLZ-RIPE slz@baycix.de = = Network Operations = = BayCIX GmbH, Landshut * PGP public Key on demand * = ========================================================================
participants (13)
-
amar andersson -
Dennis Lundström -
Elmar K. Bins -
Gennady Abramov -
Guido Roeskens -
Jeff Williams -
MarcoH -
Max Tulyev -
Raymond Jetten -
Sabri Berisha -
Sascha Lenz -
Sebastian Abt -
woeber