[Fischgericht]

Understood. Not my startup, but I would have started the other way round.

Businesses that would be willing to pay (a lot) for such a benefit often will be very conservative. In Germany the majority of medium sized businesses using SAP for example still refuse to be moved to SAP's cloud instead of on-premise.

C-Level types typically are not worried putting their email credentials etc into Outlook cloud and getting hacked this way. They are used to "everything is in the cloud". However, as soon as you mention, depending on the type of business "patents", "sales contacts", "production plans" C's will change their mind.

In Germany, where I am originally come from, all of these businesses are worried about their trade secrets to end up in China, and rightly so.

As self-hosting is very complex you could either make good money with consulting (but this means setting up tech teams in all target markets around the globe, using actual competent humans), or by selling it as a plug&play appliance. With that appliance simply being a rack server with a suitable GPU installed.

And again, for your business strategy the long-term risk of pretty much everyone trying to hack you on a daily basis appears too high to me. You might not have on your radar how serious industry spionage is. You will definitely have a fake utility company worker coming into your offices, trying to plug in a USB keylogger into some PC while nobody is looking.

As an example, proven strategy: Find targets internet uplink. Cut it. Customer calls ISP for help. You then send a fake ISP technician that arrives before the real one does. You put a data exfiltration dongle between the modem and the LAN. You then fix the cut outdoor line. Customer is happy that you have fixed it. Later the actual ISP guy arrives. Everyone will be a bit confused that the problem was already fixed, but then agree that it's probably just the ISP once again having screwed up their resource management. Works pretty much every time.

[selcuka]

> You put a data exfiltration dongle between the modem and the LAN.

Sounds interesting, and could be used in a movie, but it doesn't look like it is practically applicable in real life. You will have a hard time making sense of the data without full-MITM'ing with SSL decryption, installing your CA certificate on all machines and browsers on the LAN, and solving the certificate pinning problem.

A USB keylogger may be a simpler solution even though it can't sniff the whole LAN.

[Fischgericht]

Well, as this is standard practice the movie would be a ... documentary? ;)

I wasn't clear here enough: The device at this point enables you to typically see all devices on the LAN and WLAN on L2. Which means you can do ARP spoofing and all that kind of stuff. One of the first things you then would look at is what printers are available to infect. People often print interesting things :)

And yes, of course the USB keylogger is the cheap lazy solution. These days due to second factors not that useful as it used to be, but still... you can deploy it in seconds pretty much in every office, shop or governmental institutions.

But to not further drift into off-topic:

I am serious about all this. Should Grapevine be successful and for example one day put out a press release like "Procter & Gamble is now using our services", you will have in addition to state actors (China, Russia, Israel) a thousand kids looking up that P&G makes a profit of $15 Billion or whatever per year, and that they surely will pay 1% of that for not having all of their company data published.

If you look at existing knowledge management system that are deployed in physical-world-companies, you will see that they actually are not allowed to index all the data, but as you would be running against a lot of laws and management best practices if in the next coffee brake everybody would laugh about poor Tony who once had a really stupid concept, created a draft document of it, but then noticed that it won't work and make him look like a fool.... Thought not giving it to his manager would solve that "problem", but it got indexed as company knowledge..

So, erm, yeah: Existing knowledge management systems to a large extend are about NOT sharing knowledge.

Sorry for this raw brain dump of mine into this thread :)