Slashdot Mirror
MySpace and GoDaddy Shut Down Security Site
Several readers wrote in with a CNET report that raises novel free-speech questions. MySpace asked GoDaddy to pull the plug on Seclists.org, a site run by Fyodor Vaskovich, the father of nmap. The site hosts a quarter million pages of mailing-list archives and the like. MySpace did not obtain a court order or, apparently, compose a DMCA takedown notice: it simply asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords, and GoDaddy complied. Fyodor says the takedown happened without prior notice. The site was unavailable for about seven hours until he found out what was happening and removed the offending posting. The CNET article concludes: "When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'"
in case it would be bad for our PR, then no, in case it would be good for our PR, then yes, we take the site down. /sarcasm?
stuff |
Let's see... one page out of 250,000 on a site turns out to have content that could compromise security at another site. So MySpace contacts the registrar, and gets the entire site shut down?
That's like using a hand grenade to swat a fly.
The logical way to go about this is as follows:
Myspace should not have even contacted GoDaddy until they took the first two steps. And once GoDaddy was contacted, they should have done more investigation, which would have made it clear that they were looking at one page out of a quarter million... at which point they should have either told MySpace to contact the host, or done it themselves.
Even if, after all these steps, GoDaddy still decided to suspend the registration, they should have contacted him first: remove this page or we'll have to disable your site. Failing that, they should have told him why it was being suspended (beyond the vague reference to TOS abuse) and how he could resolve it.
Disabling the entire site with (apparently) minimal investigation is overreaction, plain and simple. That quote from Jones, where they refused to rule out taking down an entire news site to block access to one story -- or even one comment -- is telling.
In other words, "We have no backbone. We obey power. You have none. MySpace does. Any questions?"
------ The best brain training is now totally free : )
In the linked article Fyodor calls MySpace the "new AOL." I can see it. It certainly seems to encourage people to throw all caution to the wind.
As to what MySpace did, I'm honestly surprised how incredibly angry that makes me. I thought I was jaded by the petulance of businesses at this point. And Godaddy's response -- geez. I don't understand how a business can take your money and then refuse to talk to you.
Well, no -- I understand how they can do it. I understand it perfectly well. They do it because they figure they can get away with it, because even if they piss off one customer, how are the rest ever going to find out? Or care?
Eviscerati.Org: All Hail the Eviscerati
....because Rupert Murdoch would have just bought them and fired the people who questioned whether NewsCorp has the right to restrict freedom of information.
And, by the way, I hope GoDaddy's reading this. I'm moving my domains away from you because of your lackadaisical approach to our constitutional rights.
Rock is dead. Long live scissors and paper!
does not agree with my content?
It's time for some contract review...
What the hell was a list of usernames and passwords doing on the site anyway? Can anyone shed some light on this? That's a huge security risk. An attacker could use usernames and passwords to launch a massive spam attack via MySpace's messaging features.
Domain registrars should remain neutral in content disputes. Quis custodies ipsos custodes?
go daddy dont care if you are stupid enough to host with them. you deserve all you get.
IANAL but wouldn't the site owner have some serious legal ammunition against both MySpace and GoDaddy?
This seems to me to be an issue for the courts, not an IT department.
------ The best brain training is now totally free : )
I'm about to move my website from one host to another because my current shared hosting company (Netactuate, formerly VR Hosted) is falling down on their ass. I haven't even been able to load my cpanel this morning, and I tried two different connections - but their front page loads in a snap. I only jumped on them because of the gentoo hosting special but lunarpages is 2/3 the price of the discounted rate... I get 5GB and lunar gives 250GB, I get 200GB of transfer or something like that (I can't even load the cpanel to see what my quota is) and lunarpages gives 2.5 TB. I'll miss the shell access, but I can live without. Anyway, the moral of this story is that I think I'll take advantage of this moment to transfer my domain registration from godaddy to another registrar. Anyone have any recommendations?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
do not apply to your business relationship with a registrar.
... not that I need any more. Six is probably too much as it is...
That said, Godaddy acted irresponsibly and their reaction to the whole thing guarantee I'll never consider them if I want to register a domain.
Eviscerati.Org: All Hail the Eviscerati
I wonder when they start doing something 'good' for the internet community. Seeing IP connection from Russia on my servers somehow always makes me nervous...
Woo hoo, GoDaddy completely submitted to MySpace. As TFA said, Google for duckqueen1 if you're interested in the list.
The LAST thing in the world i would want to do as a registrar, or ANY web based business for that matter, is to piss off a bunch of hackers. I think karma might prevail on this one.
So, anyone have any recommendations for less-retarded registrars which might actually deserve my money?
I can definitely say that I would be upset if my registrar simply shut down my site because "someone else" didn't like it.
There are proper ways of fixing these things.
Well I suppose I'll have to avoid using GoDaddy. I already avoid MySpace like the plague and mock anyone who uses it. Pretty lame. They could have just pulled it down temporarily until they contacted the guy but they had to remove everything.
never buy a domain from godaddy again...
You get what you pay for with GoDaddy. I certainly wouldn't expect them to take my side in a dispute with MySpace, News Corp, or, frankly, anyone with a significant number of lawyers on their side.
Providers, by and large, will cave to any request from a big company...Hell there was an article about it here a few days ago, that linked the BoF Experiment where they posted a public domain work on 10 different places, and then sent DMCA takedown notices to all 10 places, and had 7 remove it immediately even though it was clearly marked as public domain.
Face it; a hosting site that will stick up for it's customers against a significant threat from a big company is hard as hell to find, and sure as hell GoDaddy isn't going to do it for 10 bucks a month.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
"remove a site that happened to archive a list of thousands of MySpace usernames and passwords"
Why where these posted on the site? Was this part of disclosure regarding a security issue that MySpace wasn't willing to address?
The problem is reasonable. The response is not. There's a post above that illustrates the point, but this is the point.
Ummm.. All I have to ask is, why the hell would you host a security site through a hosting company as "mickey-mouse" as GoDaddy? Come on... You can tell just how much they appreciate their customers by how much they spam you with offers to buy more features and unneccesary "added value" bullshit while you are trying to just buy a simple domain name registration or the like.
Thank you!
I don't have any problem with what was done. These are private companies and private websites and if I thought some internet site was compromising the security of others, I'd pull the plug too and ask questions later.
- Find a competiting business's website that is hosted by (or has their domain registered with) GoDaddy
- Search for some location where user-submitted content my be posted (perhaps forums, or a shoutout box)
- Post something that seems to be potentially "harmful" for their site security
- Contact GoDaddy to take down the entire site
- ??? (Case-by-case basis!)
- PROFIT!
You know, GoDaddy keeps doing things that make me question whether I should keep my domains registered with them or not.It should be downright bloody illegal to do what Godaddy did. Or if not illegal, it should have serious repecussions for them as a registrar up to the point of dropping their registrar status.
Besides, Myspace's effort was entirely useless. Those usernames/passwords were already compromised, Fjodor's site was just one that had it from the many places it can be found. The sensible thing would have been a forced password reset for the users involved not trying to coerce a registrar.
My position is that unless a legal, court ordered action is forced on the registrar, it should be forbidden to drop anything. And in the case there is content that shouldn't be public on the site, that is a _hosting_ issue not a domain issue. Go bugger the hosting company with legal documents.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
For instance if the propogation of a large scale worm depended on the a server at www.example.com. There are two effective ways to stop the worm in it's tracks. One is to shut down the server at www.example.com. And the other is to pull the domain record. In such a situation most of us would advocate yanking both. I can't say that a registrar should never take action like this without a court order. But I don't believe this instance was jusitified.
Does anyone have any experience with domain registrars that would have handled this situation better than did GoDaddy? I'd love a registrar that's demonstrated that it strikes a better balance between "anything goes" and "you so much as look at us cross-eyed and we'll shut you down".
The Busy Coder's Guide to Android Development
The next few thousand registered usernames on myspace will strangely resemble something like:
...
';DROP database;select * from x where '=
';DROP database;--
\';\'\';DROP database;--
It is very strange indeed.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
CYA or over-zealous [self-]policing?
/me thinks fear has got a little too strong of a grip.
1. Unconscionable: How I feel about this whole matter. Completely unconscionable that GoDaddy could or WOULD do anything like this.
2. 142: The number of domains I have registered with GoDaddy.
3. $1500: Roughly the annual amount I pay for my domains to renew them each year.
4. 48: The number of hours I have allotted myself this weekend to transfer each and every one of them AWAY from GoDaddy to someplace like NameCheap.com or DomainMonitor. Haven't decided yet.
5. True: Boolean value for whether or not I am pissed-off.
6. Very Much: The level of item 5, above's, value.
I completely agree 100% with all that you said. I also know that it would never happen.
Companies that are at the size and scale that allows them to say, in a condescending voice, "we're the world's largest X" in the span of a simple phone conversation, are completely incapable of the approach that you gave.
Personal, manual, coordinated investigation for a case involving 0.001% of your business? No frickin' way. There's probably 50 such cases every day, if not every hour. The order of the day is to pull the plug first, get whined and bitched at, and even publically slagged later. Manual labor costs barely justify a "consumer relations" person to smooth over the bruised egos of an irate domain-holder once in a while. The chances of upsetting a C|Net reporter on each one of these little cases is so low that they can almost ignore the downside of being consumer-unfriendly.
Roughly speaking, this transition, from big successful company to huge mean company, is about when they start using the term 'consumer' instead of 'customer.' The term 'consumer' is there to highlight the situation where they have customers on both sides, and there's a conflict of interest in helping the little customer (B2C) when a big customer (B2B) complains.
[
This is why you should never, ever enter a contract without reading the fine print. It's all too easy to click the "I accept" button without reflecting what you've just accepted. I wouldn't be surprised if godaddy have a "we may yank your domain at any time for any reason" clause in there somewhere...
I've sent email to GoDaddy's customer relations department asking for clarification of this, stating that I'm going to be pulling my personal sites (hosted there) and all domains (and my company's 350+ domains (no, we're not squatters..)). If this turns out to be true, and can't clarify their position on when they might arbitrarily pull sites based on nothing but a request other than "when we feel like it" EVERYONE should get the hell out of Dodge, as they obviously are responsible business partners. Waiting for my rely, which will probably never come.
GoDaddy can GoFuckThemselves
#!/
I'll bet you think this nasty "freedom of speech" ideal is a national security threat as well. All these damn people wanting to say whatever they want. They're out of line!
... when I think about it more, what MySpace did was reprehensible but it's really the standard level of reprehensible I've come to expect from companies that grow more sociopathic the more successful they become. But GoDaddy pulled the plug and gave their paying customer no way of trying to resolve the problem -- he had to force the issue on his own. That leaves a really sour taste in my mouth. It almost makes me wish I had domains registered there just so I could transfer them.
Eviscerati.Org: All Hail the Eviscerati
This is hardly a freedom of speech issue when the content in question is username/pwds. It would be if it were "billy-bob gates suckx and makes bad products..."
The more effective approach is to build the business case against choosing godaddy in the future. Nothing hurts them more than a shot in the pocketbook.
Personally, I question the wisdom of going with a company the size of godaddy to begin with. But that's me.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Sounds reasonable to me.
And me too, but we seem to have the minority opinion here. I love reading the justifications on why this is "evil" of GoDaddy to do this. Then again, what do you expect from Slashdot readers? Last week everyone was up in arms because the RIAA and a SWAT team arrested a guy for "making mix tapes" when in fact he was a bootlegger with over EIGHTY THOUSAND bootleg CDs that got confiscated and it had nothing to do with mix tapes.
Everyone who is asking "WTF why do they even have the list?!" needs to go back and read the seclists.org list. It is an archive of a mailing list post, one which tens or hundreds of sites probably also have archived.
I believe MySpace and GoDaddy are both to blame here for reasons that any sensical person can see. I think I'll be looking for a new registrar now.
If you REALLY feel strongly about this, you can become a registrar yourself. This is the direction that Fyodor should move in, given what he does.
Myspace would then either have to deal with him directly (which is what they should have done in the first place), or go to ICANN. Good luck with the latter.
Yes, it's more money. Yes, it's more hassle. The point is that there ARE options out there for the right price. If you really want to be resistant, incorporate offshore and set up your hosting service there.
Or if that's too much, just use an offshore hosting service.
Honestly, there are a lot of options out there. The only thing really surprising here is that Fyodor hasn't made use of them yet, given the grey area (as seen by some) that he deals in.
the Constitution only applies to the relationship between a citizen and the government. The Government can't take action to supress my free speech (well, obviously it can -- but it shouldn't be able to) -- but these rights can be almost nonexistant when it comes to business relationships. For example, I can't say anything I like in a privately owned building on the grounds that I have free speech -- when I'm on private property, my right to free speech is drastically weakened.
A webhost is also not bound by the constitution -- it can refuse to host anyone it likes, and if it finds your content objectionable for any reason it can shut you down. This is because the server space is privately owned, and you have to play by their rules.
A registrar is not precisely the same thing as a webhost, and perhaps it is under more strict federal regulation and oversight. But I don't think you can take constitutional protections for granted in a business arrangement with a private company.
Eviscerati.Org: All Hail the Eviscerati
I see a lot of slashdot readers pulling their domains to another registrar. I don't know if any are better, but at least there have to be some that haven't already taken these draconian messures.
I have a few domains up for renewal, and was considering GoDaddy. Not any more. I am sure slashot readers must control the registration of several million domains.
I hope this publicity shows as a giant drop on their revenue graph.
OK. Let's take a real-world analogy. You're trying to capture a criminal suspect who lives in a town of 250,000. You know his name. You know where he lives. You know he's at home. Do you:
A. Send police to his home and arrest him?
B. Place the entire city under house arrest, saving you the trouble of sending that squad car?
I have only 2 domains with GoDaddy, but if they will not provide explanation, I'll pull out too and will help spread the word. Just wouldn't be able trust them. What if they transfer ownership of my domain if someone ask them ? What if they charge my credit card for some insane amount of money just because they feel like it?
I can actually see this happening. It's election day 2008, and Slashdot posts yet another story about how hackable Diebold voting machines are. Some election official goes ballistic, and asks Slashdot's ISP and/or registrar to knock them off the net for the rest of election day. One or the other complies.
Creepy.
who the hell is Fyodor Vaskovich?
afaik Gordon Lyon aka "Fyodor" is the father of nmap..
I know a band that had petitioned GoDaddy to take action against a Russian website selling their MP3s illegally (not all of mp3 but a small fish like Muza something.com) but no actions was taken. I guess you have to be a big dog like MySpace to pull something like this off.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
How exactly do you as the hosting provider handle such a thing? I believe GoDaddy did the right thing to a point. They should have taken it down immediately, but should have tried to contact Fyodor immediately also. What you have to remember is it was listing user names and passwords of 250,000 MySpace users. I'm not a fan of MySpace or GoDaddy, but they did the right thing no matter how you feel about it. What if someone posted your account information (banking, email, FTP, unix, , SS#, etc) along with 250,000 other peoples on Google's home page along with any other prevalent information. Would you prefer your information be displayed for hours if the hosting provider could not get a hold of Google for the next seven hours, or shut it down immediately to stop the flow of that information and would (or *should*) get Google's attention quickly.
I don't know how much of an effort they made to contact Fyodor, but I don't think taking down that information was wrong.
I was looking at GoDaddy's page last night and was considering doing business with them. Then I came across this story: GoDaddy, the domain registrar (not the webhost) pulls someone's domain registration (not the website) without notice, process, or warning to the customer just because some large company requested it. The real-life equivalent would be the sheriff coming and evicting you from your home because someone made a noise complaint.
/. leans a little to the crazy side of things, but I do not believe so in this case. I consider it at least rude of Myspace to go over the site owner's head and get the registrar to take out the entire domain without letting the site owner know about it. GoDaddy is not necessarily evil for going along with the request but it certainly is unorthodox and complying will not help their business any. And, to the article's point, it will not actually remove the data from the public domain, so for GoDaddy this was a stupid move and they gain nothing but bad PR for taking it. Stupid, not evil...
Go fuck your self.
Well, we don't really know this. Not sayin' it's so, but I can see Fyodor Vaskovich telling them to "get fucked" or simular.
If you want news from today, you have to come back tomorrow.
This is news to me. I've been using the 'Report Inappropriate Content' link on pages with horrific password-stealing traps, whenever they get spammed to me. So far the quickest response from Myspace has been nearly a month. It seems obvious they just don't care about stolen passwords, and they don't have to care.
names in the web hosting industry anyway. Web hosting forums are full of godaddy horror stories. Guy should take notice before working with them.
Read radical news here
http://archives.neohapsis.com/archives/fulldisclos ure/2007-01/0282.html
now please shut down google?
oh I see, they are corporate and fydor is the little guy, I forgot!!!
The point is that Myspace, a large corp, asked Godaddy, another large corp, for the removal of a domain. The domain pointed to an ISP that hosted a site that had some passwords that are all over the internet. I am not saying Fyodor had a right to post those passwords (IANALetc but this sounds like a case of yelling fire in the cinema to me) but he didn't even have a chance to do anything about it. This all happened over his head, he wasn't notified. Myspace had no court order. Godaddy didn't have a legal or moral leg to stand on. Plus, the domain name itself has nothing to do with the content, which is hosted at the ISP, which is NOT Godaddy (AFAIK), so why didn't Myspace take it up with them? Or, omg, with Fyodor? The point is not that he shouldn't be punished (or not, it's for the court to decide) but that he was convicted and executed without so much as being told what for.
That's why Godaddy is "evil": they don't want what's best for its customers (Fyodor in this case), they want what's safest for them. The land of the brave (and the free, but that's another post) it is not.
Also: can you supply a URL for that bootleg story? I'd like to check it out.
I'm looking for a new registrar to which I will transfer my domain. I have already decided on lunarpages for hosting, as they are far and away the cheapest for the disk space and monthly transfer. I'll miss the shell account, but not so much that I want to pay more for less. The only thing I really need to make up for the lack of a shell is a good file manager with support for unpacking and creating archives, so I'm looking for one of those too.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How is this a troll? Typical Slashdot bullshit.
What does that have to do with anything? If you don't like "large corps" that's fine, but it has little to do with this issue here.
If you want news from today, you have to come back tomorrow.
If you don't like GoDaddy's business practices, check out https://www.pairnic.com/index.html. It's the sister of pair networks who hosts many great sites. ...but the perlmonks already know that.
I don't work for Pair but I know folks who do.
Just when i was starting to forget why godaddy and myspace were a bunch of bullies and cowards.
God Be Gone
A few Myspace usernames and passwords isn't such a big deal. I say (in the name of security) we request that CNN.com be taken down, I mean they have an entire special section Devoted to how to rob a bank! (http://www.cnn.com/CNN/Programs/presents/index.ro b.bank.html)
And how about we shut down government websites too. I mean that 9/11 report (and lots of other reports) could be used to help terrorists figure out how to attack us!
everyone knows they suck, but yet continue to use them. *yawn*
Funny thing is...I have reported active phishing sites which are HOSTED by go daddy, and it takes them up to 2 weeks to take them down...ON THERE OWN FUCKING SERVERS!!!!
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
I have been dealing with Joker.com for a while.
Aside from the sustained DoS attacks from mid-2006, there haven't been any problems.
Also, being a Swiss company with operations in Germany, they won't act as quickly when a big american
company threatens.
Go with a non-US registrar, you'll fair much better.
I'm mirroring it on my site.
Xatrix Security - Computer Security news portal
Of course, ianal, but this is pretty straight forward. Does the contract between the site owner and GoDaddy allow for GoDaddy to do this. If it does, then the owner has no real recourse, except to move somewhere with a better agreement. If the contract does not allow this, then the owner has the right to sue for breach of contract and any contract-allowed or statutory damages.
There's no censorship or big brother implications. This is a simple business relationship with contractual obligations by both sides. It happens all the time in meatspace, there's no reason for eveyone to get their panties is a wad over is happening on the net.
Is it just my observation, or are there way too many stupid people in the world?
That is crazy; why not simply block the page(s) with the bad info and sort out details w/ the page owner?? That to me would be more even-handed.
joker.com is not us based. its in switzrland and one of the better ones.
Let's see how long it takes until slashdot is taken down.
Dear GoDaddy,
Please take down Myspace for poorly designed profiles and the constant server errors when I view girls pictures.
Thank you
Bryan
people -- if you dont like the DMCA or U.S registrars instead of whining about it simply switch to joker.com (it switzerland) or ghandi (in france) or any of the non-U.S. based registrars out there. They will take your credit cards and a currency coversion is handled automatically. if you dont like it -- SWITCH. vote with your wallet. eventually U.S. based registrars WILL GET IT. SALES depts will kick their asses until they do.
"Sounds reasonable to me. Fyodor was out of line. And, it's not up to GoDaddy to filter through the 100,000's of Fyodor's pages, he's alrady shown the domain to be a security threat. If he wants GoDaddy to reverse its actions, he needs to clean up his act himself. That's not GoDaddy's job."
Very true, except nor is it their job to act as judge, jury and executioner just because some other company demands something to be done.
Sure, the information was a security threat to myspace, but it was not illegal in it's self (even though methods used to obtain and some uses it could be used for it might have been, but same could be said for LOTS of things)
Lets turn this around, someone posts iproof that not only is product X by company Y,unsafe due to it's tendancy to explode but also that the company knows about it and continued selling it
What does the company do?
Ask that the site owner pull the content? Nope
Go to the courts to get an injuction? Nope
Go to the courts to get the host to pull the site? Nope
Sue the publisher in the courts? Nope
Get the registrar to pull the entire site? Bingo
Do you really want registrars to have that kind of power with those lack of controls?
"When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'"
In translation, if a big fish asks us to shut down a little fish we will, for anything else who gives a damn
GoDaddy and MySpace both are wrong about what happened here, in some cases. MySpace has a legit claim about protecting usernames and passwords. They were wrong for first reporting to GoDaddy, when they really should have went through channels, just like everyone else. Personally, they should be taking better stance on security, but with the popularity of MySpace as of late, it probably wont do a lot of good. Its going to get hit more than the school nerd by the football team. GoDaddy is also in the wrong for acting so fast without having investigated to see that the proper channels were taken. GoDaddy's Terms and Conditions states that they can pull your domain at any time without reason or notice. Keep in mind that the guy who runs seclists.org states that he was indeed contacted. However, GoDaddy is also wrong for not giving him enough of a chance to respond prior to pulling his domain. There are definitely quirks in the system. Someone obviously needs to put MySpace in their place. GoDaddy should definitely do something to better serve the customer in instances like this. And the customer should definitely be held accountable for the content of his site, especially when users submit information. If you're not watching the content being submitted to be sure that it complies with terms and conditions that you agreed to, then in my opinion, responsibility (at least some) should fall there. Terms and conditions are essentially a contract/license for use. If you violate those terms, then the provider has the right to pull your services. Thats just like if you dont pay your cable bill, the cable provider has every right to pull your service until you're in compliance. How is this different than someone submitting other illegal materials and having services suspended because of said illegal material? Im not saying that anyone is right here, just that people shouldnt be so surprised when this kind of thing happens as a result of a violation of said terms. Im not sure I understand how this is a freedom of speech issue though. Granted the guy should have had the opportunity to respond appropriately, which Im sure he would have complied with no problems. I think they're all wrong. Perhaps the lesson here is that when you read "You agree that we have the right to change these terms from time to time" in a terms and conditions statement from a service provider that you think twice before agreeing and if you do agree, expect some things to possibly show up that you may not agree with.
I have a dedicated server hosted by GoDaddy, and a few days before Christmas got an automated DMCA takedown request for something allegedly on the server.
/John Doe/
I got an email from GoDaddy saying "please take this down and respond that, under penalty of perjury, you did so."
I happened to be checking my email at this moment, 12:30 at night, so I looked into the issue and responded to the email that the issue was resolved.
The next morning, my server wasn't responding to pings. So I email again saying, "hey, I took care of the complaint before you unplugged my machine, can you, you know, plug it back in?"
Day goes by. Eventually I get a response:
"Thank you for your response to the Copyright Department. In order to reactivate the site in question we will need you to provide the following information in a single email response:
A. An electronic signature. (This can be a scanned copy of your physical signature, or as simple as typing your full name.)
B. Identification of the material in question.
C. A statement, under penalty of perjury, that the material has either been removed or will promptly be removed."
So I write back again, explaining the details. Again.
Day goes by. I call the tech support number and explain the situation. The tech support guy (who was very nice) told me he couldn't help, and I should try emailing the address I already had, twice. Sigh. I do it again.
Day goes by. I get the following response:
"Thank you for contacting the Copyright Claims Department. Unfortunately your previous email did not include a statment under penalty of perjury. Please submit a complete content removal statement at your earliest convenience to have your services reactivated. For your reference an example of a complete copyright removal statement is listed below.
I, John Doe, under penalty of perjury, will remove the offending content at http://www.mydomainname.com/myfile/page.htm promptly after the reactivation of my services.
John Doe
(Please accept the above as an electronic signature.)"
Okay, great. I finally found the magic formula. I copy the template exactly and fill in my details, send it out.
Day goes by. I get this back:
"Thank you for your email. We appreciate your responsiveness and cooperation on this matter. We have re-activated the account and services associated with your site. As some services require some time for propagation to take full effect, please allow 1-2 hours for the changes to take effect."
Ok, progress, finally.
Day goes by.
Day goes by.
Server still isn't responding. I email tech support to see if there's a problem. They tell me to try using the automatic reboot request form on the web panel. Sure enough, the system responds within minutes.
So basically, they were really on top of that from every angle. In the week my server was unavailable, I arranged for hosting at one of their competitors, Dreamhost.com, who rocks quite a bit. Specifically because of this incident, I probably won't renew the GoDaddy contract when it expires, but I also wonder if I'm really safer at any other ISP in America.
It's partially a shame because I really was perfectly satisfied with GoDaddy's hosting before this incident, and they just flat out botched it. The server provides bandwidth offloading for my main site, so I could survive without it for a week, but I couldn't imagine someone trusting their business to GoDaddy if they can callously cut your oxygen for a week.
It's also a shame because the DMCA required GoDaddy to have a knee-jerk reaction in the first place. I was basically accused, tried, and convicted by my service provider without any evidence or chance to defend myself. They should be looking at this as bad for business in even well-handled situations, and recognize that the best thing to do is take
Don't say, "don't quote me," because if no one quotes you, you probably haven't said a thing worth saying.
Oh, but it most certainly does. It's the whole point of the matter. GoDaddy isn't an ISP - it's a domain name registrar. The ISP is someone else entirely. The DMCA would have allowed MySpace to deal with this issue therough the hosting ISP via a takedown notice, but that apparently wasn't satisfactory for some reason, so they instead went to a completely uninvolved third party (GoDaddy) and got them to do the dirty work without having to bother with all those legal hassles.
This whole situation, frankly, stinks to high heaven. It's kind of like your boss getting annoyed with you because of who you voted for in the last presidental election. He might not like your candidate, but there's nothing he can really do to you over it, legally. So he calls up his buddy who works for the state police and gets him to cancel your driver's license and register you as a sex offender.
...nothing to see here. GoDaddy has been known for a long time to be an unfriendly registrar.
Wanna get GoDaddy to knock a site down? Send in a spam complaint, or two! It's fun! They'll even happily charge the domain owner a fee to resume access to the domain.
FrostyPISS, you ignorant slut.
Seclists.org archives security related mailing lists.
Somebody sent this information to one of the lists (among other places) and the information was archived in turn.
This information is weeks old and widespread. Google for it.
Publication o security threats is no more a security threat than not publishing security threats. Thats a trade off. Threat awareness and information versus none. You state Fyodor needs to clean up his act and insinuate criminality for this? There were charges? A court order? NO! In fact GoDaddy pulled the plug on the domain at MySpace request without even inquiring upon Fyodor and seclists.org. Informing yes if you would be so generous as to allow the short time spans involved as an attempt to inform but inquiring of the accused or giving the accused opportunity to rectify the complaint, no.
Given circumstances, GoDaddy has assumed the duties of not only global policeman in this domain, but judge, jury and executioner! Where GoDaddy falls down is in accepting the responsibility and at least equally important, performing the duties that goes with being policeman, judge, jury and executioner. GoDaddy, in exuberance acted with impunity and arrogance in wielding their power while failing in their duty having abdicated the responsibility to fairness and due process.
For GoDaddy to wrap themselves in the trappings of God does not make them one no matter how distorted, twisted and perverted they might see their holy Terms of Service Agreement.
You bleat that GoD-addy's actions are reasonable. You don't see the threat but then how could you. You are not informed and to lazy to be otherwise. I don't care about you or people like you for all such and sundry get what they deserve but the rest of us should not have to suffer the disease of your infections or stand nostril deep in the rotting cesspool of intellectual maggots and worms which course through the skulls and animate the distorted faces of the un-dead in your personal hell.
FrostyPISS. The name of your choosing seems appropriate as I spice your urine filled goblet with the herbs of humiliation. Now tilt your head back and guzzle.
This is not the first time I've read an article that questions the sensibility of those running GoDaddy. My question is, are there any decent, relatively inexpensive places to register a domain? Yahoo partners with MelbourneIT for their domain stuff, what's their reputation? For all those people using the GMail for your domain service, where you have to bring your own domain, who are those people predominantly using? Any suggestions? GoDaddy seemed to be the rage a couple of years ago, and maybe they still are, but are there any good alternatives?
I must say I now understand GWB's decision to avoid getting court orders to carry out surveillance on US citizens a lot better. Indeed, if the courts become involved, it is necessary to balance everyone's rights. It is far better just to ensure one's own interests are satisfied: the other guy's rights are unimportant. Right?
Actually, perhaps we could extend this to our treatment of criminals. Getting the courts involved is so messy. Why not just physically beat them or string them up on the spot, depending on how serious we feel the crimes are that they committed?
Call me an alarmist, but the problem is that the way this was conducted was more reminiscent of 1990's Russia than 2007 America. Corporation X has a pest and asks Corporation Y to swat it, probably under (implied) threat of some retaliatory action. Today it's "users and passwords" and tomorrow it could be "some pesky service they provide that interferes with our profits". This basic respect of the law and process that we apparently have in the West is an absolutely critical component of our prosperity. If small fish begin to fear that they can be arbitrarily swatted by large players, our entrepreneurial spirit will be choked.
I got those questions too from large and smaller sites, first line didn't know what to do. My response to those things:
Dear,
Please contact the owner of the domain for such matters. If you have any problems finding this, the information can be queried through the whois database. We do not comply with any request for take down unless signed by a judge in our LOCAL district court (the exact information for such procedures can be found in our legal notices on our website).
If you have any further questions, please contact your legal counsel or a legal counsel in our district to proceed.
Sincerely,
MyName
Usually I didn't get any further communication on this. We had a few times the police come in to 'take down' the server. We denied access to our datacenters and told them to take a hike. We also had a few times the police (detectives) to get an 'IP address' for a website (they heard you needed that somehow). We just wrote it down on a piece of paper and gave it to them, they must have thought it was like a package or device they were going to get to disable a site because they asked: What is that? An IP address. Is that it? Yes. Is the site down then? No. But we want it down! No, sorry, gotta get a court order AND a search warrant for our premises AND a search warrant for our clients premises (since the server is their premises).
Custom electronics and digital signage for your business: www.evcircuits.com
I'm too lazy to read recent TOS on inww.com. But a number of years ago their agreement was OUTSTANDING. It was one of the very few that DIDN'T allow the registrar to arbitrarily change the TOS at their whim. Don't know if that is still the case. Of course ALL registrars have to bend over for ICANN being able to change anything and everything at their whim.
Its a sad day when Network Solutions starts looking like the good guys
This is why I use the IP address to addess my website. A registrar can't de-register an IP address.
Take responsibility for your security being laughable, fire the people responsible, and secure your own shit before flinging it at others?
The passwords in question were obtained by phishing. The quality of MySpace's security (short of one-time scratch off keys, biometrics, or synced key generators - none of which are currently appropriate for a social networking site) has nothing to do with this. When your users cheerfully give our their user name and password, there's little that a social networking site can do other than to lock the accounts. The various posters are correct that MySpace and GoDaddy did not behave appropriately, but your post adds nothing useful to the conversation. If you're going to slag on MySpace, do so for valid reasons.
Let's post some usernames and passwords on MySpace and ask for their domain to be taken down. It only sounds fair.
Eh, they use Network Solutions as their registrar - good luck getting anything done there.
Good concept, though.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
So when someone writes shoddy code on a site that google indexes and caches, which contains the connection details for the database running said site, would said site's owner be within their rights to have Google shut down???
Of course not, becuase the average domain owner doesn't have f*cktons of money.
Now with more sodium!!
The French registrar is Gandi, as opposed to Ghandi. This is meant to assist people in finding them and is not intended as a spelling flame.
I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc Abuse@GoDaddy.com
I have a few domains up for renewal, and was considering GoDaddy. Not any more. I am sure slashot readers must control the registration of several million domains.
:)
I'm real happy with DynDNS. They've always done right by me and my clients, their service always works, and since I've started using them some friends have gone to work there (based in Manchester, NH). They also have many free services and support work done in the open source community. $15/yr for registration - not the cheapest out there but cheaper than some. It appears to be the price necessary for good service. Normally if I posted this it would be followed up with posts by GoDaddy fans who rave about their service.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This isn't the first time I've heard of them doing something like this. Basically, if they don't like some content on your website utilizing a domain registered through GoDaddy, they'll revoke the registration. No court order required.
The one thing I can't figure out is why they are so highly rated by the more technical users. Is it their lower prices combined with decent customer service? I pay a bit more at Dotster, but I've never heard of them yanking a domain for no good reason.
Thus, fuck GoDaddy and their shit policies.
http://blog.wired.com/27bstroke6/2007/01/godaddy_d efends.html
GoDaddy got back to me. General counsel Christine Jones defends taking down SecLists.org, saying that Fyodor had close to an hour to respond to GoDaddy's voicemail and e-mail warnings yesterday, and didn't.
"We couldn't reach him, and because the content was hundreds and hundreds of MySpace user names and password, we went ahead and redirected the domain to remove that content," she says.
An hour's notice doesn't seem much time before shutting down someone's website, particularly when the content in question is nine days old. Jones says there was urgency, because so many MySpace users are young teenagers, and they could suffer serious privacy invasions if perverts start logging into their profiles to get private photos and messages.
"For something that has safety implication like that, we take it really seriously," she says. "For spammers, we give people a little bit of time to respond to us."
Ouch. Archiving Full Disclosure is worse than spamming.
Awesome.
Natural != (nontoxic || beneficial)
At a minimum, you kill the accounts, and move on. You don't start taking 3rd parties down because you can't be bothered to secure your own site.
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
I've been using that magazine-ad-behemoth known as 1&1 for registrations (and hosting) for awhile. They're cheap and have a non-ugly, reliable CP, but does anyone know of a reason (apart from their mainstream-ness) to avoid them? I haven't come up with anything in the time I've been using them.
Your mind is clear / The things that you fear / Will fade with how much you / Believe what you hear
If you really want to be able to depend on your data being there, host it yourself. Or, for christ's sake, if you need a bigger pipe, use a more reliable host than GoDaddy.
how old is marticock now??
On his Jan 18 entry he says: Tricky now.
I asked GoDaddy what their side of it was. This is what they sent me:
I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org.
As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action.
In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time.
In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour.
In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is.
An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it.
I don't know of any parent who wouldn't want their child's username and password protected.
Ben Butler
Director of Network Abuse
The Go Daddy Group, Inc
You are totally blocking my view of the wall. - Dogbert
Certainly, it was wrong.
GoDaddy did nothing right in this.
Specifically:
To clarify: even in the event there possibly did turn out to be an actual, legitimate, legal basis for the complaint, no process was followed to actually attempt to asses what that might be, nor to determine what a proper response -- other than taking down the entire domain -- might have actually been.
This, in the simplest of terms, is entirely a case of thoughtless censorship without even the most basic attempt at fact-finding.
How should they have handled it?
They should have:
This should have been the end of GoDaddy's involvement.
In the event the site's Responsible Party and MySpace did not come to an understanding, and they were again approached by MySpace, GoDaddy should then have:
if they were only the registrar, and not the hosting provider:
if they were also the hosting provider, they should then have:
Only in the event that GoDaddy's preliminary review did lead them to believe the claim was founded, they should have either (in general, so bear with me):
if the material fell under DMCA,
or, if not covered by DMCA,
Does anyone have the original link? Does Way Back Machine have it there? Maybe their registrar should shut them down.
As a US Citizen who lives in the US, the *LAST* place I want my domains registered is in a foreign country.
If GoDaddy screws me, I have enforceable legal recourse. If joker.com screws me, it's is much, much, much harder to seek legal remedy.
paintball
They seem nice, friendly people with no clue about how their industry works.
GoDaddy: Lord Vader, we received note from the Death star contractors that your website was containing their schematics of the battle station and so we... [grabs throad]
Darth Vader: You have failed me for the last time, GoDaddy! $NEW_REGISTRAR!
$NEW_REGISTRAR: Yes, Lord.
Darth Vader: I am transferring my website to your control. You are in command now. Do not fail me...
[GoDaddy collapses]
It's time that those in power, whether governments or large corporations, stopped using this argument (along with the "If we don't curtail some of your rights, the terrorists have already won.") to justify their abuses.
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
RTFA before spouting your mouth off, and you won't look like such an idiot.
I am a Godaddy customer and I'm not happy with this. Not one bit. It isn't *your* job to enforce Internet safety. It's your job to look after the domain names of your customers. Get that straight: I pay *your* salary. You and Bob Parsons work for *me and all your other customers*. I really resent the idea that some corporation can say right words to you, and shut down my web site. You're my domain shop. You are not my Priest, Lawyer or Moral Guardian. If MySpace want to shut something down, make them go to the courts and get an order like everyone else. Your behavior on this matter is abysmal. It worries me so much that if anyone here suggests a similarly priced service, I'll go there. Quite frankly, I don't trust with my domain names.
So what if they're mySpace UN/PW combos? Where was this info garnered from? Badly secured mySpace servers? Or bot'd user PC's? Either way, the proper thing to do is to SHUTDOWN all of the listed accounts on mySpace, and advise the users to 1) Scan their PC's for virus infections, 2) change their passwords...
But given that a quarter million accounts would be affected, that'd be a news story that NewsCorp probably wouldn't want out there, so the Corporate thing to do was to shut down the guy with the list...
Too bad the Corp's don't understand that info on the Internet never really goes away... shut down one site with it and 2 others pop up...
And GoDaddy can go f themselves... They should have told MySpace to get a court order to shut down the site...
Seems reasonable to me too. But, as somebody said, the outrage is typical of slashdot users. People who say this is "censoring" or a "violation of rights" don't know the context from which rights derive. You DO have a right to free speech - but that doesn't mean somebody else has to provide you a meeting hall, a newspaper, an online forum, or a website for you to promote your ideas on. The right to free speech does not supersede the right to property.
As was agreed to by the person who registered with GoDaddy on behalf of seclists.org, GoDaddy reserves the right to do what they did to sites which violate their terms. Well.. a site violated the terms, GoDaddy took it down. I haven't read GoDaddy's TOS, but I'd even say it's generous of them to let the site come back up at all, they could have probably just taken it down completely, forever..
GoDaddy, go.
- Go to a random website hosted at one of these providers (or registered at GoDaddy).
- Create hotmail account (or yahoo, or some other free untracable e-mail provider)
- Send takedown request
- Lather, rinse, repeat
For the careful, use an open proxy during the whole activity.For the extra bold, send paper letters.
If enough people did this, these providers would either get the hint and take these takedown requests with a grain of salt, or they would end up chasing enough of there customers that it would hit them in the balance sheet.
It's not even difficult to do, the BOFH paper provides form letters and other helpful hints on how to pull it off (i.e. follow up in case ISP responds), as well as a list of ISPs which are most vulnerable to this legal DOS.
So, if you're bored one rainy Sunday afternoon, you know what to do!
MySpace would than have contacted their customers and let them change their passwords.
Once the passwords were published, they have to be changed anyways, haven't they?
...a stunned silence fell upon the hall.
Great customer service and comparable price wise to GoDaddy.
The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!
I sent an email to GoDaddy protesting the take down of seclists.org. Here is the reply I received from them. They somehow manage to tie this back to protecting children...Uh, sure, do I look like a fucking n00b, okay, I guess I don't look like anything via email, but COME ON!!! Scott, I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc Abuse@GoDaddy.com
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
I'd say they ARE appropriate for a social networking site. They're even relatively cheap -- PayPal is now offering something similar for only $5. (Of course, it might get a bit hairy if you had a different hardware authenticator for each web site, but if myspace really was serious about security, they could offer it to people that felt the need for it and it would be appropriate now.
The problem is that people wouldn't use it and were it required, it would kill off casual social networking sites. People are willing to use it for things like Paypal (although I suspect a large number of people won't use it until forced) because it affects them financially. I could see users of more technology oriented sites like LinkedIn being interested in greater security, but I'd bet that if MySpace/LiveJournal were to require them, a large number of users would leave for a site that was similar but didn't.
The problem isn't the people who feel the need for it - they prolly have a halfway decent password to begin with and aren't going to send it to a random phishing site. The problem is the low hanging fruit, and places like MySpace are going to have an awful lot of them.
In another life Bob 'n' Co.
I asked a buddy with a plethora (yes, a plethora) of domains. He recommended:
..."
http://www.namesecure.com/
I asked him if he'd look at GKG.net. He said their agreement says: "GKG reserves the right to suspend, cancel, transfer or modify your services in the event that:
Just another GoDaddy.
To be clear: He said NameSecure doesn't have that clause
"If you want to get honey, Don't kick the beehive." --Dale Carnegie, author of How to Win Friends and Influence People
"*scoff* Whatever, nerd." --GoDaddy and MySpace.
The Rapture is NOT an exit strategy.
To have a right to do a thing is not at all the same as to be right in doing it
we need a 'Goodwin's Law' for the "Won't somebody think of the children?" argument