Re: [NSE] ip-geolocation

[Fyodor <fyodor () insecure org>]

On Tue, Jun 28, 2011 at 04:57:54PM -0700, Fyodor wrote:
> On Tue, Jun 28, 2011 at 04:46:17PM -0700, Fyodor wrote:
> > On Tue, Jun 14, 2011 at 02:36:48PM +0200, Gorjan Petrovski wrote:
> >
> > Hi Gorjan.  The ip-geolocation-quova includes three API keys that you
> > apparently got by free registration.  When you registered, did it make
> > you agree to any sort of terms of use?  Does including these
> > "secret_codes" in Nmap violate their terms?
> >
> > Even if we keep the API keys in there, the script should have an NSE
> > argument for people to give their own keys instead.  Can you add that
> > and document it in the NSEDoc?
>
> These questions and the suggestion applies to the
> ip-geolocation-infodb database too.

We needed to build a release, so David and I looked into this.
Quova's makes you agree to their TOS in order to get an API key, and
their TOS seems to pretty clearly ban this sort of usage
(http://developer.quova.com/apps/tos).  So we had to delete the script
for now.  Gorjan: Can you write them and ask for permission to use it
in Nmap?  They'll probably say no or ask for money (which means no in
the case of a free tool like Nmap), but it doesn't hurt to ask.  If
they say no or don't answer, then we'll have to make it so that the
script requires the user to input an API key as an NSE arg or by
modifying the .nse.

IPInfoDB, on the other hand, doesn't seem to have a clear policy
against this.  It didn't make me agree to anything when I tried
registering.  But would you (Gorjan) write to them and ask permission
anyway?  I've kept the script in for now, but we should do the same as
Quova (require the user to provide a key) if IPInfoDB says that we
can't redistribute a key in our script.

Thanks,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/