LISTSERV 16.5 - CODE4LIB Archives

Thanks Eric. I'm glad we only have to deal with one of these things.
Tom

On Wed, Dec 9, 2020 at 4:38 PM Eric Phetteplace <[log in to unmask]> wrote:

> This is actually the same registry, MIT has not-too-helpfullly linked to
> the company's website and not the IP Registry itself, but you can get there
> with a few clicks. We subscribe to a few of their journals so I suppose we
> have to add an entry to the registry now.
>
> Best,
> Eric
>
>
> On Wed, Dec 9, 2020 at 1:32 PM Tom Keays <[log in to unmask]> wrote:
>
> > Oh boy. MIT Press is migrating to a new platform and they want us to be
> on
> > yet another IP registry platform. From the email...
> >
> > *Sign up for PSI’s IP registry*, if you are not already registered.
> > https://www.psiregistry.org/
> > <
> >
> https://mit.us2.list-manage.com/track/click?u=7caff40e82d72e9429c33df2a&id=2cb79f8b34&e=4349323911
> > >
> > .
> >
> > Does anybody have any experience with them?
> >
> > Tom
> >
> > On Sun, Dec 6, 2020 at 9:30 PM Fitchett, Deborah <
> > [log in to unmask]> wrote:
> >
> > > In my experience, since we signed up, they do email us very
> occasionally
> > > to say “Oh we heard such-and-such an IP range is you, can you confirm?”
> > so
> > > we can login and say “No, no that hasn’t been our IP range for 10
> years,
> > > who on earth still has that on file?”
> > >
> > > --More precisely, we can say “No.” But at least that’s something.
> > >
> > > It’s… problematic that they’re maintaining ranges for institutions who
> > > haven’t signed up. I guess they’re thinking then there’s more incentive
> > to
> > > get publishers to come on board, since it is one of those services that
> > > will work best if most people are on board, and getting momentum when
> few
> > > people are on board is a challenge.
> > >
> > > I do really like the idea of the service. I come at this from having to
> > go
> > > through the “email/login to ALL the publishers to update IP ranges”
> about
> > > three times in not very many more years, it was painful and I remain
> > > traumatised. The idea of just being able to update a single place (or
> at
> > > least a single place for most publishers and a few outliers
> individually)
> > > is really appealing.
> > >
> > > I note a couple of their publishers are now using the IP Registry’s API
> > to
> > > stay updated with IP addresses, which seems like another great
> > development.
> > >
> > > Maybe it’s worth sending them feedback that if they provide IP
> addresses
> > > for institutions who haven’t signed up, they need to make it clear to
> > > publishers that these are non-verified and publishers should always
> > confirm
> > > with the institution before making changes.
> > >
> > > Deborah
> > >
> > >
> > > From: Code for Libraries <[log in to unmask]> On Behalf Of Lolis,
> > > John
> > > Sent: Saturday, 5 December 2020 12:25 PM
> > > To: [log in to unmask]
> > > Subject: Re: [CODE4LIB] The IP Registry
> > >
> > > It seems to me that they have a glaring omission in not notifying a
> > > registrant when someone submitted or modified an IP address range for
> > their
> > > institution. Seems like a no-brainer to me.
> > >
> > > As for *publishers* providing IP address ranges to update an
> > institution's
> > > IP range, *what are they thinking?*
> > >
> > > John Lolis
> > > Coordinator of Computer Systems
> > >
> > > 100 Martine Avenue
> > > White Plains, NY 10601
> > >
> > > tel: 1.914.422.1497
> > > fax: 1.914.422.1452
> > >
> > > https://whiteplainslibrary.org/<https://whiteplainslibrary.org>
> > >
> > > *When you think about it, *all* security is ultimately security by
> > > ignorance.*
> > >
> > >
> > >
> > > On Fri, 4 Dec 2020 at 18:09, Will Martin <[log in to unmask]<mailto:
> > > [log in to unmask]>> wrote:
> > >
> > > > They portray themselves as offering accurate IP ranges, when what
> > > > they've got amounts to some guess-work. They don't really have any
> way
> > > > to catch errors like the Choopa.net example Tom Keays gave, or the
> > > > consortium sub-range in mine. Unless, of course, the way they catch
> > > > those is to rely on people from the institutions to eventually log in
> > > > and correct those for them.
> > > >
> > > > I'm going to go ahead and update my institutions ranges with them
> > > > anyway, because I think I have to. But I'm not going to like them for
> > > > it.
> > > >
> > > > Will
> > > >
> > > > On 2020-12-04 16:49, Tom Keays wrote:
> > > > > A couple of years ago, when I was reviewing the IP set up for
> > Scitation
> > > > > for
> > > > > my institution, I noticed it included an unfamiliar IP range,
> > > > > 216.155.128.000 - 216.155.128.063. This was not the first time I
> had
> > > > > encountered this range (although I don't have a record of what the
> > > > > previous
> > > > > vendors were where I found it). After spending some time
> > investigating,
> > > > > I
> > > > > determined that it belonged to an internet hosting company called
> > > > > Choopa.net. Definitely a bogus listing for us.
> > > > >
> > > > > Anyway, when I first set up my account at The IP Registry, they
> also
> > > > > listed
> > > > > this range. When I told them about it and asked them how they got
> it
> > > > > and
> > > > > explained that it should never have been there in their records,
> they
> > > > > replied, "This IP range was supplied to us by a number of
> publishers
> > > > > who
> > > > > are using it to provide access."
> > > > >
> > > > > I don't really know how this range got listed as being valid for my
> > > > > institution. Was it there because individual social engineered
> > > > > somebody's
> > > > > support team in order to get free access to online resources? I
> have
> > to
> > > > > assume so. I also don't know if The IP Registry got it from the
> > > > > e-resource
> > > > > vendors and accepted it without question or the vendors got it from
> > > > > them,
> > > > > again without question. Either way, it made me worry about trusting
> > > > > them
> > > > > too far.
> > > > >
> > > > > Tom
> > > > >
> > > > > On Fri, Dec 4, 2020 at 2:33 PM Jeremiah Kellogg <[log in to unmask]
> > > <mailto:[log in to unmask]>>
> > > > > wrote:
> > > > >
> > > > >> Yikes, this does sound like we're being forced into a service
> > whether
> > > > >> we
> > > > >> want to use it or not. At our institution we're the default owner
> of
> > > > >> a
> > > > >> range of IPs we manage on behalf of a public library consortium
> that
> > > > >> we're
> > > > >> not actually a part of (so the consortium shouldn't be accessing
> our
> > > > >> databases). The IP registry had grabbed that range of IPs and
> > > > >> included
> > > > >> them in our profile, but had them pending verification from our
> > > > >> institution
> > > > >> that we actually owned them before making them available to
> > > > >> publishers. I
> > > > >> ended up editing that range to exclude the consortium IPs, and
> then
> > no
> > > > >> longer had to verify the remaining range of IPs that were correct.
> > > > >> Now
> > > > >> that I really think about this, had I not made those edits, our
> > proxy
> > > > >> server would have been excluded and we would have faced a
> situation
> > > > >> where
> > > > >> our students, faculty and staff were denied access to the services
> > > > >> they
> > > > >> should be able to access. So we would have faced the opposite
> > problem
> > > > >> that
> > > > >> you experienced, Will, where people would be denied access rather
> > than
> > > > >> given access they shouldn't have. Either way, the only apparent
> way
> > > > >> these
> > > > >> problems can be fixed is by signing up with the IP registry and
> > > > >> updating
> > > > >> things ourselves... and that's kind of underhanded. I'm not sure
> I'd
> > > > >> worry
> > > > >> too much about the legalities because it appears vendors, unlike
> our
> > > > >> institutions, participate willingly, and if they're willing to
> take
> > > > >> the
> > > > >> ipregistry's word that our IP ranges are accurate that's on them.
> > > > >> It's
> > > > >> just really frustrating to think that we'd face these kinds of
> > > > >> problems due
> > > > >> to an outside entity getting things wrong on our behalf, and the
> > only
> > > > >> way
> > > > >> to fix them is by signing up with them and making corrections.
> > > > >>
> > > > >> I don't think I mind them selling our improved IP data to vendors
> > > > >> because
> > > > >> that's the kind of thing most free services need to do to pay the
> > > > >> bills
> > > > >> these days. I might be putting the work into it, but it's not so
> > much
> > > > >> that
> > > > >> I feel like I'm putting more in than I'm getting out of it.
> However,
> > > > >> as
> > > > >> you point out, Will, there doesn't appear to be a mechanism for
> > opting
> > > > >> out
> > > > >> of their system, and that really stinks. I haven't dug too deep,
> but
> > > > >> I
> > > > >> wonder if there's a way of setting things up with vendors who use
> > that
> > > > >> service to stop using it when we make such a request? I think I'm
> > > > >> pretty
> > > > >> much on the same page as you, Will. It's a great idea for a
> service,
> > > > >> but
> > > > >> being forced into it will understandably leave a bad taste in
> > people's
> > > > >> mouths, and it also casts a bit of shadow on the service's
> > integrity.
> > > > >> I
> > > > >> get that participation is important for this kind of thing, but I
> > > > >> suspect
> > > > >> there are better ways of getting people onboard!
> > > > >>
> > > > >> On Thu, Dec 3, 2020 at 6:02 PM Will Martin <[log in to unmask]
> > > <mailto:[log in to unmask]>>
> > > > >> wrote:
> > > > >>
> > > > >> > I am concerned by the fact that the IP Registry appears to have
> > gone
> > > > >> > around figuring out the IP ranges for schools based on public
> > > records
> > > > >> > from the IANA and a bunch of vendor records. I'm sure that was
> > > > >> > difficult, and their site says it took four years. When it was
> > done,
> > > > >> > they announced that 58% of IP ranges were wrong, and began
> selling
> > > the
> > > > >> > service to vendors and telling them what our IP addresses are
> > based
> > > on
> > > > >> > their analysis.
> > > > >> >
> > > > >> > I claimed the account for my institution and discovered that
> there
> > > > were
> > > > >> > 26 vendors already pulling my university's IP ranges from the IP
> > > > >> > Registry. Unfortunately, the IP ranges were wrong. To name a few
> > > > >> > problems:
> > > > >> >
> > > > >> > 1) They conflated us with another school in the same university
> > > > system.
> > > > >> >
> > > > >> > 2) They could not know that there are a couple of IP ranges that
> > we
> > > > >> > prefer to be treated as "off campus" even though they belong to
> > the
> > > > >> > University.
> > > > >> >
> > > > >> > 3) They had no way to know that one particular range of our IPs
> is
> > > > >> > assigned to a library consortium in our state, and used for
> proxy
> > > > >> > servers that serve the other institutions in the university
> system
> > > > plus
> > > > >> > several dozen public libraries.
> > > > >> >
> > > > >> > The third point is critical. By distributing these erroneous IP
> > > > ranges
> > > > >> > on my school's behalf, without permission, the IP registry has
> > > > >> > effectively granted access to 26 of our subscriptions to
> basically
> > > > >> > everyone in my state. We are thus in violation of our license
> > > > >> > agreements and will be at risk of legal action by the publishers
> > > > until I
> > > > >> > can sort this mess out.
> > > > >> >
> > > > >> > Because this involves multiple institutions -- my own, the
> broader
> > > > >> > university system, the aforementioned library consortium -- I am
> > > going
> > > > >> > to have to contact and explain the situation to a lot of people,
> > and
> > > > >> > spend a lot of time checking and re-checking IP ranges, all in
> > > service
> > > > >> > of updating the IP Registry's records.
> > > > >> >
> > > > >> > Then they get to turn around and charge the publishers for my
> > work.
> > > > >> >
> > > > >> > But frankly, their business model feels like extortion to me. We
> > > have
> > > > to
> > > > >> > verify their records, or there's a chance that our resources
> will
> > be
> > > > >> > accessible to people who should not have access because their
> > > analysis
> > > > >> > was incorrect. They appear to have engineered a situation that
> > puts
> > > > my
> > > > >> > institution in potential legal jeopardy, which we can only get
> out
> > > of
> > > > by
> > > > >> > improving the data that the IP Registry is selling for a profit.
> > > > >> >
> > > > >> > I am not happy with them. The basic idea -- a centralized
> > repository
> > > > of
> > > > >> > IP ranges for bulk updating publisher records -- is both sound
> and
> > > > >> > useful. But their business model leaves a bad taste in my mouth.
> > If
> > > > I
> > > > >> > could, I would opt out of the system. But they do not appear to
> > have
> > > > >> > made a mechanism available to do so.
> > > > >> >
> > > > >> > Will Martin
> > > > >> >
> > > > >> > Head of Digital Initiatives, Systems and Services
> > > > >> > Chester Fritz Library
> > > > >> > University of North Dakota
> > > > >> >
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Jeremiah Kellogg
> > > > >> Systems Librarian
> > > > >> Pierce Library
> > > > >> Eastern Oregon University
> > > > >> [log in to unmask]<mailto:[log in to unmask]>
> > > > >> (541) 962-3017
> > > > >>
> > > >
> > >
> > > ________________________________
> > >
> > > "The contents of this e-mail (including any attachments) may be
> > > confidential and/or subject to copyright. Any unauthorised use,
> > > distribution, or copying of the contents is expressly prohibited. If
> you
> > > have received this e-mail in error, please advise the sender by return
> > > e-mail or telephone and then delete this e-mail together with all
> > > attachments from your system."
> > >
> >
>