LISTSERV 16.5 - CODE4LIB Archives

This is actually the same registry, MIT has not-too-helpfullly linked to
the company's website and not the IP Registry itself, but you can get there
with a few clicks. We subscribe to a few of their journals so I suppose we
have to add an entry to the registry now.

Best,
Eric


On Wed, Dec 9, 2020 at 1:32 PM Tom Keays <[log in to unmask]> wrote:

> Oh boy. MIT Press is migrating to a new platform and they want us to be on
> yet another IP registry platform. From the email...
>
> *Sign up for PSI’s IP registry*, if you are not already registered.
> https://www.psiregistry.org/
> <
> https://mit.us2.list-manage.com/track/click?u=7caff40e82d72e9429c33df2a&id=2cb79f8b34&e=4349323911
> >
> .
>
> Does anybody have any experience with them?
>
> Tom
>
> On Sun, Dec 6, 2020 at 9:30 PM Fitchett, Deborah <
> [log in to unmask]> wrote:
>
> > In my experience, since we signed up, they do email us very occasionally
> > to say “Oh we heard such-and-such an IP range is you, can you confirm?”
> so
> > we can login and say “No, no that hasn’t been our IP range for 10 years,
> > who on earth still has that on file?”
> >
> > --More precisely, we can say “No.” But at least that’s something.
> >
> > It’s… problematic that they’re maintaining ranges for institutions who
> > haven’t signed up. I guess they’re thinking then there’s more incentive
> to
> > get publishers to come on board, since it is one of those services that
> > will work best if most people are on board, and getting momentum when few
> > people are on board is a challenge.
> >
> > I do really like the idea of the service. I come at this from having to
> go
> > through the “email/login to ALL the publishers to update IP ranges” about
> > three times in not very many more years, it was painful and I remain
> > traumatised. The idea of just being able to update a single place (or at
> > least a single place for most publishers and a few outliers individually)
> > is really appealing.
> >
> > I note a couple of their publishers are now using the IP Registry’s API
> to
> > stay updated with IP addresses, which seems like another great
> development.
> >
> > Maybe it’s worth sending them feedback that if they provide IP addresses
> > for institutions who haven’t signed up, they need to make it clear to
> > publishers that these are non-verified and publishers should always
> confirm
> > with the institution before making changes.
> >
> > Deborah
> >
> >
> > From: Code for Libraries <[log in to unmask]> On Behalf Of Lolis,
> > John
> > Sent: Saturday, 5 December 2020 12:25 PM
> > To: [log in to unmask]
> > Subject: Re: [CODE4LIB] The IP Registry
> >
> > It seems to me that they have a glaring omission in not notifying a
> > registrant when someone submitted or modified an IP address range for
> their
> > institution. Seems like a no-brainer to me.
> >
> > As for *publishers* providing IP address ranges to update an
> institution's
> > IP range, *what are they thinking?*
> >
> > John Lolis
> > Coordinator of Computer Systems
> >
> > 100 Martine Avenue
> > White Plains, NY 10601
> >
> > tel: 1.914.422.1497
> > fax: 1.914.422.1452
> >
> > https://whiteplainslibrary.org/<https://whiteplainslibrary.org>
> >
> > *When you think about it, *all* security is ultimately security by
> > ignorance.*
> >
> >
> >
> > On Fri, 4 Dec 2020 at 18:09, Will Martin <[log in to unmask]<mailto:
> > [log in to unmask]>> wrote:
> >
> > > They portray themselves as offering accurate IP ranges, when what
> > > they've got amounts to some guess-work. They don't really have any way
> > > to catch errors like the Choopa.net example Tom Keays gave, or the
> > > consortium sub-range in mine. Unless, of course, the way they catch
> > > those is to rely on people from the institutions to eventually log in
> > > and correct those for them.
> > >
> > > I'm going to go ahead and update my institutions ranges with them
> > > anyway, because I think I have to. But I'm not going to like them for
> > > it.
> > >
> > > Will
> > >
> > > On 2020-12-04 16:49, Tom Keays wrote:
> > > > A couple of years ago, when I was reviewing the IP set up for
> Scitation
> > > > for
> > > > my institution, I noticed it included an unfamiliar IP range,
> > > > 216.155.128.000 - 216.155.128.063. This was not the first time I had
> > > > encountered this range (although I don't have a record of what the
> > > > previous
> > > > vendors were where I found it). After spending some time
> investigating,
> > > > I
> > > > determined that it belonged to an internet hosting company called
> > > > Choopa.net. Definitely a bogus listing for us.
> > > >
> > > > Anyway, when I first set up my account at The IP Registry, they also
> > > > listed
> > > > this range. When I told them about it and asked them how they got it
> > > > and
> > > > explained that it should never have been there in their records, they
> > > > replied, "This IP range was supplied to us by a number of publishers
> > > > who
> > > > are using it to provide access."
> > > >
> > > > I don't really know how this range got listed as being valid for my
> > > > institution. Was it there because individual social engineered
> > > > somebody's
> > > > support team in order to get free access to online resources? I have
> to
> > > > assume so. I also don't know if The IP Registry got it from the
> > > > e-resource
> > > > vendors and accepted it without question or the vendors got it from
> > > > them,
> > > > again without question. Either way, it made me worry about trusting
> > > > them
> > > > too far.
> > > >
> > > > Tom
> > > >
> > > > On Fri, Dec 4, 2020 at 2:33 PM Jeremiah Kellogg <[log in to unmask]
> > <mailto:[log in to unmask]>>
> > > > wrote:
> > > >
> > > >> Yikes, this does sound like we're being forced into a service
> whether
> > > >> we
> > > >> want to use it or not. At our institution we're the default owner of
> > > >> a
> > > >> range of IPs we manage on behalf of a public library consortium that
> > > >> we're
> > > >> not actually a part of (so the consortium shouldn't be accessing our
> > > >> databases). The IP registry had grabbed that range of IPs and
> > > >> included
> > > >> them in our profile, but had them pending verification from our
> > > >> institution
> > > >> that we actually owned them before making them available to
> > > >> publishers. I
> > > >> ended up editing that range to exclude the consortium IPs, and then
> no
> > > >> longer had to verify the remaining range of IPs that were correct.
> > > >> Now
> > > >> that I really think about this, had I not made those edits, our
> proxy
> > > >> server would have been excluded and we would have faced a situation
> > > >> where
> > > >> our students, faculty and staff were denied access to the services
> > > >> they
> > > >> should be able to access. So we would have faced the opposite
> problem
> > > >> that
> > > >> you experienced, Will, where people would be denied access rather
> than
> > > >> given access they shouldn't have. Either way, the only apparent way
> > > >> these
> > > >> problems can be fixed is by signing up with the IP registry and
> > > >> updating
> > > >> things ourselves... and that's kind of underhanded. I'm not sure I'd
> > > >> worry
> > > >> too much about the legalities because it appears vendors, unlike our
> > > >> institutions, participate willingly, and if they're willing to take
> > > >> the
> > > >> ipregistry's word that our IP ranges are accurate that's on them.
> > > >> It's
> > > >> just really frustrating to think that we'd face these kinds of
> > > >> problems due
> > > >> to an outside entity getting things wrong on our behalf, and the
> only
> > > >> way
> > > >> to fix them is by signing up with them and making corrections.
> > > >>
> > > >> I don't think I mind them selling our improved IP data to vendors
> > > >> because
> > > >> that's the kind of thing most free services need to do to pay the
> > > >> bills
> > > >> these days. I might be putting the work into it, but it's not so
> much
> > > >> that
> > > >> I feel like I'm putting more in than I'm getting out of it. However,
> > > >> as
> > > >> you point out, Will, there doesn't appear to be a mechanism for
> opting
> > > >> out
> > > >> of their system, and that really stinks. I haven't dug too deep, but
> > > >> I
> > > >> wonder if there's a way of setting things up with vendors who use
> that
> > > >> service to stop using it when we make such a request? I think I'm
> > > >> pretty
> > > >> much on the same page as you, Will. It's a great idea for a service,
> > > >> but
> > > >> being forced into it will understandably leave a bad taste in
> people's
> > > >> mouths, and it also casts a bit of shadow on the service's
> integrity.
> > > >> I
> > > >> get that participation is important for this kind of thing, but I
> > > >> suspect
> > > >> there are better ways of getting people onboard!
> > > >>
> > > >> On Thu, Dec 3, 2020 at 6:02 PM Will Martin <[log in to unmask]
> > <mailto:[log in to unmask]>>
> > > >> wrote:
> > > >>
> > > >> > I am concerned by the fact that the IP Registry appears to have
> gone
> > > >> > around figuring out the IP ranges for schools based on public
> > records
> > > >> > from the IANA and a bunch of vendor records. I'm sure that was
> > > >> > difficult, and their site says it took four years. When it was
> done,
> > > >> > they announced that 58% of IP ranges were wrong, and began selling
> > the
> > > >> > service to vendors and telling them what our IP addresses are
> based
> > on
> > > >> > their analysis.
> > > >> >
> > > >> > I claimed the account for my institution and discovered that there
> > > were
> > > >> > 26 vendors already pulling my university's IP ranges from the IP
> > > >> > Registry. Unfortunately, the IP ranges were wrong. To name a few
> > > >> > problems:
> > > >> >
> > > >> > 1) They conflated us with another school in the same university
> > > system.
> > > >> >
> > > >> > 2) They could not know that there are a couple of IP ranges that
> we
> > > >> > prefer to be treated as "off campus" even though they belong to
> the
> > > >> > University.
> > > >> >
> > > >> > 3) They had no way to know that one particular range of our IPs is
> > > >> > assigned to a library consortium in our state, and used for proxy
> > > >> > servers that serve the other institutions in the university system
> > > plus
> > > >> > several dozen public libraries.
> > > >> >
> > > >> > The third point is critical. By distributing these erroneous IP
> > > ranges
> > > >> > on my school's behalf, without permission, the IP registry has
> > > >> > effectively granted access to 26 of our subscriptions to basically
> > > >> > everyone in my state. We are thus in violation of our license
> > > >> > agreements and will be at risk of legal action by the publishers
> > > until I
> > > >> > can sort this mess out.
> > > >> >
> > > >> > Because this involves multiple institutions -- my own, the broader
> > > >> > university system, the aforementioned library consortium -- I am
> > going
> > > >> > to have to contact and explain the situation to a lot of people,
> and
> > > >> > spend a lot of time checking and re-checking IP ranges, all in
> > service
> > > >> > of updating the IP Registry's records.
> > > >> >
> > > >> > Then they get to turn around and charge the publishers for my
> work.
> > > >> >
> > > >> > But frankly, their business model feels like extortion to me. We
> > have
> > > to
> > > >> > verify their records, or there's a chance that our resources will
> be
> > > >> > accessible to people who should not have access because their
> > analysis
> > > >> > was incorrect. They appear to have engineered a situation that
> puts
> > > my
> > > >> > institution in potential legal jeopardy, which we can only get out
> > of
> > > by
> > > >> > improving the data that the IP Registry is selling for a profit.
> > > >> >
> > > >> > I am not happy with them. The basic idea -- a centralized
> repository
> > > of
> > > >> > IP ranges for bulk updating publisher records -- is both sound and
> > > >> > useful. But their business model leaves a bad taste in my mouth.
> If
> > > I
> > > >> > could, I would opt out of the system. But they do not appear to
> have
> > > >> > made a mechanism available to do so.
> > > >> >
> > > >> > Will Martin
> > > >> >
> > > >> > Head of Digital Initiatives, Systems and Services
> > > >> > Chester Fritz Library
> > > >> > University of North Dakota
> > > >> >
> > > >>
> > > >>
> > > >> --
> > > >> Jeremiah Kellogg
> > > >> Systems Librarian
> > > >> Pierce Library
> > > >> Eastern Oregon University
> > > >> [log in to unmask]<mailto:[log in to unmask]>
> > > >> (541) 962-3017
> > > >>
> > >
> >
> > ________________________________
> >
> > "The contents of this e-mail (including any attachments) may be
> > confidential and/or subject to copyright. Any unauthorised use,
> > distribution, or copying of the contents is expressly prohibited. If you
> > have received this e-mail in error, please advise the sender by return
> > e-mail or telephone and then delete this e-mail together with all
> > attachments from your system."
> >
>