[arin-discuss] The joy of SWIPping

Divins, David dsd at servervault.com
Tue May 13 13:43:11 EDT 2008 

The opposite lookup is also problematic for some.  Lets assume OrgA is
not running a public site, but a private exchange between select peers.
Lets say OrgB hates OrgA and wants to cause havoc and so on.  Knowing
only OrgA's name, using only SWIP, they can map ADP and Physical
locations of that organization-- information that would otherwise be
unavailable via other means.  Some will claim by not having that reverse
map, that is relying on security by obscurity.  I disagree and feel that
a legitimate portion of a well rounded security posture can be to not
publish a directory of private information (in this case the IP
allocations).

-dsd

David Divins
Principal Engineer
ServerVault Corp.
(703) 652-5955
-----Original Message-----
From: arin-discuss-bounces at arin.net
[mailto:arin-discuss-bounces at arin.net] On Behalf Of Jeremy Anthony
Kinsey
Sent: Tuesday, May 13, 2008 1:33 PM
To: arin-discuss at arin.net
Subject: Re: [arin-discuss] The joy of SWIPping


On May 13, 2008, at 12:09 PM, Aaron Wendel wrote:

> Why is it always about SPAM?  Let me give you some other real
> examples:
>
> Customer A rents a server for his Clan.  Clan A.  It's not a business 
> so his
> personal information with his home address gets put in the SWIP.   
> Clan B
> gets ticked off at Clan A and sends someone over to the address in the

> SWIP (since the domain was private) and threatens his life in front of

> his family.  VERY angry customer calls me the next day demanding his 
> info be removed and threatening to sue for breach of privacy.
>
> Customer B runs a political forum.  User A doesn't like what Customer 
> B
> posts so he starts sending death threats to Customer B's wife.   
> Domain is
> private but there's actually a mistake in the SWIP info that shows up 
> on the address which makes it easy to figure out where User A got his 
> info.
> Customer B's wife is hysterical which causes Customer B to be very 
> angry with me.
>
> I tried to tell both of these guys that I HAVE to do it because 
> otherwise I can't get new IPs and it HAS to be right because, after 
> all, they might be spammers but it just didn't fly.
>
> Both of these examples really happened.  We lost both customers and 
> the police had to get involved.
>
> One other question for everyone out there that's sort of related, How 
> do you reconcile posting customer information in a public database 
> with your privacy policy?
>

Because PUBLIC information is not PRIVATE... Couldn't I find out about
Customer A and B by looking in the phone book.  By using Google or
Google Earth?  All this information can be obtained through numerous
other methods.  I find it hard to believe that name/address/tel in a
whois DB is somehow responsible for all the spam on the planet.  I
understand the argument, I just think things are a bit overstated here.


Regards,
Jeremy Anthony Kinsey
  e-mail: jer at mia.net
_____________________________________
Bella Mia, Inc.                                      www.mia.net
401 Host Drive                              www.dslone.com
Lake Geneva, WI. 53147         www.hostdrive.com
Phone: (262)248-6759       www.thednsplace.com
Fax: (262)248-6959            www.hostinglizard.com

_______________________________________________
ARIN-Discuss
You are receiving this message because you are subscribed to the ARIN
Discussion Mailing List (ARIN-discuss at arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-discuss
Please contact the ARIN Member Services Help Desk at info at arin.net if
you experience any issues.

More information about the ARIN-discuss mailing list