Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySpace and GoDaddy Shut Down Security Site

Posted by kdawson on from the sudden-darkness dept.

Several readers wrote in with a CNET report that raises novel free-speech questions. MySpace asked GoDaddy to pull the plug on Seclists.org, a site run by Fyodor Vaskovich, the father of nmap. The site hosts a quarter million pages of mailing-list archives and the like. MySpace did not obtain a court order or, apparently, compose a DMCA takedown notice: it simply asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords, and GoDaddy complied. Fyodor says the takedown happened without prior notice. The site was unavailable for about seven hours until he found out what was happening and removed the offending posting. The CNET article concludes: "When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'"

16 of 344 comments (clear)

  1. Case-by-case basis... by 192939495969798999 · · Score: 4, Insightful

    in case it would be bad for our PR, then no, in case it would be good for our PR, then yes, we take the site down. /sarcasm?

    --
    stuff |
    1. Re:Case-by-case basis... by nmb3000 · · Score: 4, Insightful
      The problem is that whatever the cause, this was bad for GoDaddy's PR, and Slashdot users should let them know.

      I'd suggest that everyone here who is disgusted with this action, especially those who have domains registered with GoDaddy, email GoDaddy public relations and/or email their domain registration support.

      Just as an example, here is what I sent:

      Regarding the recent action GoDaddy took against Seclists.org, I want to know just *why* I should keep my domains at GoDaddy, and not transfer to somebody who shows some respect for their customers.

      I find it disgraceful that GoDaddy would bend over when somebody like MySpace pushes a little. How can I now know that my domains are safe from being shut down on a whim? By not following any meaningful procedure to resolve the conflict, you have caused myself and many others to loose any faith we had with you as a registrar.

      When my domains expire in a few months, I will be transferring them to another registrar unless GoDaddy publicly apologizes to Fyodor Vaskovich, the owner of Seclists.org. In addition, he should also receive some compensation for his trouble, such as a free three-year renewal for all his domains.

      See http://it.slashdot.org/article.pl?sid=07/01/26/154 2218 for more information and more customer responses.
      Maybe if they get hit hard enough, somebody over there--maybe even ol' Bobby Parsons (does anyone know his email address?)--will figure out that companies can't pull this kind of crap anymore without repercussions.
      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
  2. Overkill by Kelson · · Score: 4, Insightful

    Let's see... one page out of 250,000 on a site turns out to have content that could compromise security at another site. So MySpace contacts the registrar, and gets the entire site shut down?

    That's like using a hand grenade to swat a fly.

    The logical way to go about this is as follows:

    1. Contact the site maintainer and convince them them to take the page down.
    2. If that fails, contact the hosting provider, and convince them to take the page down. (Just the page, not the whole site.)
    3. If that fails, and only then, contact the registrar and convince them to suspend the site.

    Myspace should not have even contacted GoDaddy until they took the first two steps. And once GoDaddy was contacted, they should have done more investigation, which would have made it clear that they were looking at one page out of a quarter million... at which point they should have either told MySpace to contact the host, or done it themselves.

    Even if, after all these steps, GoDaddy still decided to suspend the registration, they should have contacted him first: remove this page or we'll have to disable your site. Failing that, they should have told him why it was being suspended (beyond the vague reference to TOS abuse) and how he could resolve it.

    Disabling the entire site with (apparently) minimal investigation is overreaction, plain and simple. That quote from Jones, where they refused to rule out taking down an entire news site to block access to one story -- or even one comment -- is telling.

    1. Re:Overkill by DBCubix · · Score: 5, Insightful

      Let's post some usernames and passwords on MySpace and ask for their domain to be taken down. It only sounds fair.

      --
      I called it a mighty Sperm Whale, she called it Finding Nemo.
  3. Case by case basis by popo · · Score: 4, Insightful


    In other words, "We have no backbone. We obey power. You have none. MySpace does. Any questions?"

    --
    ------ The best brain training is now totally free : )
  4. Myspace is the new AOL by brennanw · · Score: 4, Insightful

    In the linked article Fyodor calls MySpace the "new AOL." I can see it. It certainly seems to encourage people to throw all caution to the wind.

    As to what MySpace did, I'm honestly surprised how incredibly angry that makes me. I thought I was jaded by the petulance of businesses at this point. And Godaddy's response -- geez. I don't understand how a business can take your money and then refuse to talk to you.

    Well, no -- I understand how they can do it. I understand it perfectly well. They do it because they figure they can get away with it, because even if they piss off one customer, how are the rest ever going to find out? Or care?

    --
    Eviscerati.Org: All Hail the Eviscerati
  5. domain registrar neutrality by Anonymous Coward · · Score: 4, Insightful

    Domain registrars should remain neutral in content disputes. Quis custodies ipsos custodes?

  6. Overkill is an understatement by A+beautiful+mind · · Score: 5, Insightful

    It should be downright bloody illegal to do what Godaddy did. Or if not illegal, it should have serious repecussions for them as a registrar up to the point of dropping their registrar status.

    Besides, Myspace's effort was entirely useless. Those usernames/passwords were already compromised, Fjodor's site was just one that had it from the many places it can be found. The sensible thing would have been a forced password reset for the users involved not trying to coerce a registrar.

    My position is that unless a legal, court ordered action is forced on the registrar, it should be forbidden to drop anything. And in the case there is content that shouldn't be public on the site, that is a _hosting_ issue not a domain issue. Go bugger the hosting company with legal documents.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  7. I see a giant drop in revenue for GoDaddy by CharlieHedlin · · Score: 4, Insightful

    I see a lot of slashdot readers pulling their domains to another registrar. I don't know if any are better, but at least there have to be some that haven't already taken these draconian messures.

    I have a few domains up for renewal, and was considering GoDaddy. Not any more. I am sure slashot readers must control the registration of several million domains.

    I hope this publicity shows as a giant drop on their revenue graph.

  8. Re:What's the problem? by remmelt · · Score: 3, Insightful

    The point is that Myspace, a large corp, asked Godaddy, another large corp, for the removal of a domain. The domain pointed to an ISP that hosted a site that had some passwords that are all over the internet. I am not saying Fyodor had a right to post those passwords (IANALetc but this sounds like a case of yelling fire in the cinema to me) but he didn't even have a chance to do anything about it. This all happened over his head, he wasn't notified. Myspace had no court order. Godaddy didn't have a legal or moral leg to stand on. Plus, the domain name itself has nothing to do with the content, which is hosted at the ISP, which is NOT Godaddy (AFAIK), so why didn't Myspace take it up with them? Or, omg, with Fyodor? The point is not that he shouldn't be punished (or not, it's for the court to decide) but that he was convicted and executed without so much as being told what for.
    That's why Godaddy is "evil": they don't want what's best for its customers (Fyodor in this case), they want what's safest for them. The land of the brave (and the free, but that's another post) it is not.

    Also: can you supply a URL for that bootleg story? I'd like to check it out.

  9. joker.com or any non-us registrar. by Zurk · · Score: 4, Insightful

    people -- if you dont like the DMCA or U.S registrars instead of whining about it simply switch to joker.com (it switzerland) or ghandi (in france) or any of the non-U.S. based registrars out there. They will take your credit cards and a currency coversion is handled automatically. if you dont like it -- SWITCH. vote with your wallet. eventually U.S. based registrars WILL GET IT. SALES depts will kick their asses until they do.

  10. Re:GoDaddy Response by spitefulcrow · · Score: 3, Insightful

    An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. In an ideal world, parents would keep tabs on their children's Internet usage and educate them on how to avoid being taken advantage of or hurt. I find it shameful that parents choose to blame others (like ISPs) for the consequences of their neglect. "Think of the children" is the pitiful argument used by people without other valid arguments for placing restrictions on the free flow of information. I don't have any domains hosted by GoDaddy, but you can be sure that you have lost another potential customer.

    --
    Sorry, my karma just ran over your dogma.
  11. Re:GoDaddy Response by MooUK · · Score: 4, Insightful

    The last few sentences of this post can be summarised in a much clearer fashion:

    "Think of the children!"

  12. Re:GoDaddy Response by Fulcrum+of+Evil · · Score: 5, Insightful

    As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. I

    That's not your damn job! You are a registrar. If you take it upon yourself to police the contents of the sites in your registry, what happens when you get sud for failing to do so? Go do your job and stop trying to police things that are none of your business.

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  13. Re:GoDaddy Response by laughingcoyote · · Score: 3, Insightful

    Please allow me to put this in a few words:

    This is not your place.

    It is the job of the police and courts to enforce the law, not you. It is the job of parents to protect their children, not you. You are a registrar. Your job is to ensure that your customers' sites are accessible. Your job is not to judge that site's content. If someone thinks the site should be shut down, that person or organization can go get a proper court order. Until that time, you and your company are out of line in even considering a request to take down a site unilaterally.

    I have several domain name registrations coming up. I can assure you, those registrations will not be with your company, absent a public apology and an assurance that this will never happen again except upon a valid court order, and I will ensure that everyone I know who may register a domain is made well aware of this incident. Unless your position is quickly reversed, you stand to lose quite a bit of business.

    --
    To fight the war on terror, stop being afraid.
  14. Re:GoDaddy Response by Decius6i5 · · Score: 3, Insightful
    As a GoDaddy customer who hosts an open discussion site on a domain that is registered with GoDaddy, I am troubled by the mishandling of this incident. Frankly, I look at this as a substantial risk to the stability of my website, and I am now contemplating a transition to a new registrar.


    I'm assuming that this account and response were actually posted by GoDaddy. If so, I'm glad you've decided to address this matter, but unforunately, you haven't gone far enough. Your handling of the matter was irresponsible, and this post glosses over serious problems with your process. You need to address these problems directly if you expect people to rely on you for registrar services. For example:

    In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time.
    This is not an honest representation of what occurred. The voicemail your abuse department left has been made public. You called the customer to inform him that the domain had already been scheduled for deactivation. You did not provide an explanation and you did not provide any telephone contact information.

    Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour.
    The fact is that you did not leave a telephone number where your abuse department could be reached. According to the customer you did not respond to emails that were sent to the abuse department, your technical support group would not forward calls to the abuse department, and the customer was informed that he would receive a response in one to two business days.


    This characterization that you did everything you could to contact the customer and when you finally did you got the site back up immediately is totally dishonest. The facts are that you knew that this website was a large community site and that the operators had not directly posted the content you were seeking to block access to, but you disconnected the domain without making prior contact with the customer, and you made it as hard as you possibly could for the customer to contact you after the fact to resolve the matter.

    This is not a responsible way to handle incidents like this, and you cannot justify it. Furthermore, spinning it makes matters even worse, as it means that we can expect similar problems to be dealt with in a similar way in the future. That means that GoDaddy cannot be relied upon as a DNS registrar for serious Internet resources that need stable DNS services, particularly if they are open or community based sites that allow third parties to post content.

    I would caution you against underestimating the influence that technical communities like Slashdot AND Seclists.org have over the purchasing decisions made by people deploying Internet systems and networks. If you do not take a serious critical look at your processes and respond to your customers in a way that assures us that incidents like this will not happen again it will have a serious negative impact on your business.