Slashdot Mirror
MySpace and GoDaddy Shut Down Security Site
Several readers wrote in with a CNET report that raises novel free-speech questions. MySpace asked GoDaddy to pull the plug on Seclists.org, a site run by Fyodor Vaskovich, the father of nmap. The site hosts a quarter million pages of mailing-list archives and the like. MySpace did not obtain a court order or, apparently, compose a DMCA takedown notice: it simply asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords, and GoDaddy complied. Fyodor says the takedown happened without prior notice. The site was unavailable for about seven hours until he found out what was happening and removed the offending posting. The CNET article concludes: "When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'"
The problem is reasonable. The response is not. There's a post above that illustrates the point, but this is the point.
actually they are a registrar, but only for com/net/org
There was a list compiled by a bunch of phishers that made it into the open a few months ago...Lot of security guys were using it to do things like check for the average complexity of passwords among users and suchlike. The first link I found was on Google was the Tech Reads blog, dated 9/16/6 (mdy), so this is nothing new.
Ordering a takedown in pointless...I can't believe that those users weren't informed that they should change their passwords, and if they were, what's the problem?
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
GoDaddy was not hosting the site, they are the registrar for the domain name. As such they control DNS for seclists.org, and part of what they did was to change the nameserver from what it was supposed to be to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM, effectively preventing most people from accessing the site.
The IP in the A record for seclists.org is registered to "MEER NET," who is either hosting the site or reselling the hosting, and had nothing to do with what GoDaddy did.
Slashdot? Oh, I just read it for the articles.
I've sent email to GoDaddy's customer relations department asking for clarification of this, stating that I'm going to be pulling my personal sites (hosted there) and all domains (and my company's 350+ domains (no, we're not squatters..)). If this turns out to be true, and can't clarify their position on when they might arbitrarily pull sites based on nothing but a request other than "when we feel like it" EVERYONE should get the hell out of Dodge, as they obviously are responsible business partners. Waiting for my rely, which will probably never come.
0) Take responsibility for your security being laughable, fire the people responsible, and secure your own shit before flinging it at others?
Hmmm.......
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
Everyone who is asking "WTF why do they even have the list?!" needs to go back and read the seclists.org list. It is an archive of a mailing list post, one which tens or hundreds of sites probably also have archived.
I believe MySpace and GoDaddy are both to blame here for reasons that any sensical person can see. I think I'll be looking for a new registrar now.
I have a dedicated server hosted by GoDaddy, and a few days before Christmas got an automated DMCA takedown request for something allegedly on the server.
/John Doe/
I got an email from GoDaddy saying "please take this down and respond that, under penalty of perjury, you did so."
I happened to be checking my email at this moment, 12:30 at night, so I looked into the issue and responded to the email that the issue was resolved.
The next morning, my server wasn't responding to pings. So I email again saying, "hey, I took care of the complaint before you unplugged my machine, can you, you know, plug it back in?"
Day goes by. Eventually I get a response:
"Thank you for your response to the Copyright Department. In order to reactivate the site in question we will need you to provide the following information in a single email response:
A. An electronic signature. (This can be a scanned copy of your physical signature, or as simple as typing your full name.)
B. Identification of the material in question.
C. A statement, under penalty of perjury, that the material has either been removed or will promptly be removed."
So I write back again, explaining the details. Again.
Day goes by. I call the tech support number and explain the situation. The tech support guy (who was very nice) told me he couldn't help, and I should try emailing the address I already had, twice. Sigh. I do it again.
Day goes by. I get the following response:
"Thank you for contacting the Copyright Claims Department. Unfortunately your previous email did not include a statment under penalty of perjury. Please submit a complete content removal statement at your earliest convenience to have your services reactivated. For your reference an example of a complete copyright removal statement is listed below.
I, John Doe, under penalty of perjury, will remove the offending content at http://www.mydomainname.com/myfile/page.htm promptly after the reactivation of my services.
John Doe
(Please accept the above as an electronic signature.)"
Okay, great. I finally found the magic formula. I copy the template exactly and fill in my details, send it out.
Day goes by. I get this back:
"Thank you for your email. We appreciate your responsiveness and cooperation on this matter. We have re-activated the account and services associated with your site. As some services require some time for propagation to take full effect, please allow 1-2 hours for the changes to take effect."
Ok, progress, finally.
Day goes by.
Day goes by.
Server still isn't responding. I email tech support to see if there's a problem. They tell me to try using the automatic reboot request form on the web panel. Sure enough, the system responds within minutes.
So basically, they were really on top of that from every angle. In the week my server was unavailable, I arranged for hosting at one of their competitors, Dreamhost.com, who rocks quite a bit. Specifically because of this incident, I probably won't renew the GoDaddy contract when it expires, but I also wonder if I'm really safer at any other ISP in America.
It's partially a shame because I really was perfectly satisfied with GoDaddy's hosting before this incident, and they just flat out botched it. The server provides bandwidth offloading for my main site, so I could survive without it for a week, but I couldn't imagine someone trusting their business to GoDaddy if they can callously cut your oxygen for a week.
It's also a shame because the DMCA required GoDaddy to have a knee-jerk reaction in the first place. I was basically accused, tried, and convicted by my service provider without any evidence or chance to defend myself. They should be looking at this as bad for business in even well-handled situations, and recognize that the best thing to do is take
Don't say, "don't quote me," because if no one quotes you, you probably haven't said a thing worth saying.
How exactly do you as the hosting provider handle such a thing? I believe GoDaddy did the right thing to a point.
GoDaddy was the domain registrar, not the hosting provider. There is a big difference. I would never use GoDaddy or any other domain registrar that would alter a registration without a court order.
Personally, I use directNIC and Domain Contender.
Parsons the evil man in charge of godaddy is running I consider something of pyramid like scheme - if you cause no problems (as defined by them) you get cheap domain names
but if you break there rules (which they decide on) - they hit you for $$$$ on you pre authurised credit card hmmm nice. I bet the mafia would like that racket.
Parsons screwed up on .eu and then whined and also whined about domain name knitting. As a european i'd not trust Bob Parsons with anything.
I'd rather give my money to a chinese registrar than go daddy if they where the only two registrars left on the planet. There are other registrars but if Parsons thinks im stupid enough to give him our money and hope for the best he better think twice.
Im not suggesting a free for all - but if you go to a higher power and not ask the people in charge then that means if a crime was commited i'd have to hold Bob Parsons responsible for all myspace hacking crimes/spamming. - After all as a board director he admitted his guilt.
You heard what Domains by Proxy/Go Daddy did to the Foetry guy, right? http://foetry.com/newbb/viewtopic.php?p=906 He ended up on the front page of the LA Times because of them compromising his anonymity.
The French registrar is Gandi, as opposed to Ghandi. This is meant to assist people in finding them and is not intended as a spelling flame.
Be careful with comments like that. While I sympathize with you and might've done something similar, your credit card company might try to get you for fraud if they ever link that comment to you.
Need a Python, C++, Unix, Linux develop
Any reputable domain registrar will give you credit for all the remaining time on your current registration. You lose nothing by transferring.
Don't put it off. Do it today.
"Ain't no right way to do a wrong thing."