FYI APNIC left a dump from its Whois SQL database in a public Google Cloud bucket https://www.theregister.com/2021/06/22/apnic_whois_data_exposed/ The Asia Pacific Network Information Centre (APNIC), the internet registry for the region, has admitted it left at least a portion of its Whois SQL database, which contains sensitive information, facing the public internet for three months. Jome ---- jorma@jmellin.net Quoting Shane Kerr <shane@time-travellers.org>:
Nick,
On 22/06/2021 23.50, Nick Hilliard wrote:
Patrik Fältström wrote on 22/06/2021 21:23:
With regard to the ripe database and the rpki repo, it doesn't look like there are any specific legal issues that haven't been considered. All of this information is publicly accessible anyway. There may well be a different set of considerations for other types of data.
I don't think that is is okay to say "this information is publicly accessible anyway". On a RIPE Database or RPKI server there is meta-data about *who* is accessing the database, including timestamps, source addresses, and possibly other data. There is also meta-data about *what queries* are made to the database. There also things to be learned about replication delays between servers, and surely a lot more that might be of interest to creative folks.
I don't know about now, but at one point there were firewalls and/or intrusion-detection systems that would query the RIPE Database to give the admin information about the source of suspicious traffic. An attacker trying to penetrate a network might be able to identify which security products were in use if given unrestricted access to WHOIS query logs. I'm not saying this is a likely scenario, I'm saying we should be cautious about declaring access to data safe. Humans (and increasingly AI) are ingenious about ways to use systems in unintended ways.
As a thought experiment to try to demonstrate the idea, how would you feel about a proposal to provide public access to complete system logs of all RIPE Database servers? If that makes you nervous in any way - and I think that it should! - then this is exactly why we should consider the operators hosting RIPE Database (and RPKI) resources important.
Cheers,
-- Shane