Slashdot Mirror
GoDaddy Wants Your Root Password
Johnny Fusion writes "The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials.
There is an update where GoDaddy explains itself and says they will change policy."
You already trust them 100% if you let them have access to your box
/That sounded wrong somehow
When my trivia game was hosted at EV1Servers (now part of The Planet company) I kept my root password on file with them at all times, and quite a few times support logged in and helped me with a problem, like telling me the reason my webserver went down was that the Warnings file in Apache had hit the Linux system limit.
This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.
Nothing to see here... move along.
Not surprising at all.
I had a domain with Godaddy a few years ago when they breached ICANN's rules by threatening to confiscate my domain unless I paid them $200, because I had supposedly breached their TOS.
GoDaddy is not to be trusted.
MABASPLOOM!
Pro tip: never trust your domain or your business to a company who got its name from a Thrill Kill Kult song and advertises its services with soft-core porn.
They only seem to market themselves by objectifying women and their services don't seem low priced or high quality. Frankly I think they are an embarrassment to the tech world.
meep
My understanding is that "VPS" usually implies that you are living in a VM on somebody else's box.
How robust are the various common server operating systems against an attacker breaching the system by either reading or manipulating the VM's state? When your "hard drive" is just a file on somebody else's system, and your RAM is just a block of memory reserved for you by whatever virtualization mechanism is being employed, either could conceivably be read or written without any access to your system through the usual channels(ssh, admin passwords, etc.) If, say, you are using public key authentication, to avoid password attacks entirely, what would stop the VM host from just scribbling their own public key onto the list of approved public keys stored on your filesystem? Or doing something subtler, like scanning your block of RAM to find your SSH daemon, and flipping a few bits to make it interpret your login attempt as valid rather than failed?
Obviously, in theory, you can never win against somebody who controls the hardware(and, with VMs, they don't even need EE skills and an expensive oscilloscope to poke at the hardware, since the "hardware" is actually software). However, theoretical viability and practical doability can be very different animals. In this case, they tried a clumsy password guess, followed by a demand, obviously not uber-hacker material. Has there been any work done, though, on the strengths, weaknesses, and limits of what a VM that doesn't trust its host can do?
We've got a security expert gets an email demanding his root password, and it's all good because they called and said sorry we'll change our policy? HUH? No wonder people are commenting that he's been paid off!!!
These posts express my own personal views, not those of my employer
They store all the passwords encrypted, and they can only be retrieved and reversed after a member of the security team opens a ticket and explains the reason for using the password (like to investigate malware)
Look at this epic fail right here. All security bets, are off.
That's not the question. The question is if GoDaddy is trustworthy.
Judge for yourself. Here are some stories about GoDaddy on Slashdot, in order by date:
Go Daddy Usurps Network Solutions (2005-05-04)
GoDaddy Serves Blank Pages to Safari & Opera (2005-12-08)
GoDaddy.com Dumps Linux for Microsoft (2006-03-23)
GoDaddy Holds Domains Hostage (2006-06-17)
GoDaddy Caves To Irish Legal Threat (2006-09-16)
MySpace and GoDaddy Shut Down Security Site (2007-01-26) That incident prompted this web site:
Exposing the Many Reasons Not to Trust GoDaddy with Your Domain Names.
Alternative Registrars to GoDaddy? (2007-02-03)
GoDaddy Bobbles DST Changeover? (2007-03-11)
850K RegisterFly Domains Moved To GoDaddy (2007-05-29)
According to this March 11, 2008 story in Wired, GoDaddy shut down an entire web site of 250,000 pages because of one archived mailing list comment: GoDaddy Silences Police-Watchdog Site RateMyCop.com. See below for Slashdot's story about RateMyCop.com.
GoDaddy Silences RateMyCop.com (2008-03-12)
ICANN Moves Against GoDaddy Domain Lockdowns (2008-04-08)
GoDaddy VP Caught Bidding Against Customers (2008-06-29)
Those are just the stories until July of 2008.
GoDaddy's reputation is not just one of extremely negative stories. In my opinion, GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable.
Here are some of the opinions of Bob Parsons, the owner of GoDaddy. He is pro-violence: Close Gitmo? No way!!
He uses women's bodies to advertise: Bob Parson's Video Blog.
Quote from the story, Registrars Still Ignoring ICANN Rules: "Over a year ago ICANN moved to clean up misbehaving registrars like GoDaddy..." (2009-07-22)
Another quote from that Slashdot story: "GoDaddy (and their reseller arm, Wild West Domains) have a different problem: They still block transfers for 60 days after a registrant's contact update, even after the ICANN update specifically prohibited doing so."
As someone that has been around the block with running a lot of web sites (well, a couple thousand at least) for say the last 10 years, I have learned the hard way to not put all your eggs in one basket. Registries come and go, even the big boys (at least service comes and goes, policies change), hosting providers can go bad for all kinds of reasons, and your DNS services are your keys to the castle in terms of just how much damage an outage can do to a buisness (backup DNS severs people).
Living in Chile
What makes you think GoDaddy is founded on any sort of religious values? The ads don't suggest it.
I use irony whenever I can, but my shirts are still wrinkled...
Make a backup of your server, and then tell them that they won’t get it.
If they switch off your server, sue them for extortion, trespassing (in case they entered the server) and damages. [Same rules as with a (business) apartment and a landlord.]
But I personally already had hosters asking me for the root password. I refused. That was it. They did not do anything. (We still had a contract, after all.) Of course they told me that they wouldn’t give me support for the software. But I wouldn’t have wanted that anyway, since on the last managed server, they wrecked my database when one of their idiot admins did “fix” something.
I don’t see the problem. Let them bitch. Tell them to fuck off or you’ll sue. Done.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
They have a long standing policy of refusing business with people who promote an agenda that counteracts conservative Christianity. It's impossible to register or get hosting for a pro-choice site with them for instance. Just because they use T&A in their ads doesn't make them even handed. It just shows that they will stoop to any level to attract customers.
This is quite an understatement. I do occasional web development on the side, and I recently had my first client in a while. I told her to go ahead and sign up for the domain with GoDaddy, but she said she couldn't figure out what to do. So I helped her out in person and I couldn't *believe* the amount of crap they try to push on you. Pages full of options and "upgrades" and packages on every step ... even after you finish your purchase! It's a tremendously confusing experience for someone who doesn't know how to filter out the signal from the noise.
That's why I use ChangeIP.com for domain registrations.
You pick the name, give them a credit card, press the button and get on with your life. They won't hijack it, hold it hostage, try to sell you anything (except DDNS if you want it). You pay, they register. As it should be.
I now have three (count'em 3) clients that have lost their domains to GoDaddy. However, for only $400 or so, GoDaddy will sell you back your own domain.
I wouldn't use GoDaddy if my ass was on fire and they had free water.
"Another dumb freetard."
Another comment from someone who didn't bother to read the article or understand the issue.
Here's a quote from the Microsoft press release: "Upon completion of the migration, Go Daddy® will have moved all its parked domains from Linux to the Windows platform."
A "parked domain" is one with no real content, but just one small static web page that says something like "coming soon". The implication is that Microsoft Windows servers are fully capable of serving parked domains.
At the time, March 21, 2006, the story was that the Microsoft marketing department got GoDaddy to make the change by offering a lucrative deal. Why would Microsoft do that? This April 7, 2006 story explains: Microsoft Server gains 4.7% market share of hosted domains.
A parked domain, even though it is never visited except by accident, is a "hosted domain". Now it was possible for Microsoft sales people to talk about how Microsoft Windows server software was rapidly gaining market share. That would be entirely misleading, however.
Note that the press release misspelled GoDaddy as "Go Daddy", even though it was spelled correctly a few words earlier. That gives a picture of the level of competence involved at Microsoft's P.R. agency, Waggener Edstrom.
You may find it interesting that Pam Edstrom's daughter Jennifer and a former Microsoft manager wrote the book, Barbarians Led by Bill Gates. (August 15, 1998, eight years earlier) The Amazon.com review says the book "... presents a harsher and messier history, sharply questioning Microsoft's ethics and corporate wisdom..." The book seems authoritative; the authors certainly had inside access to the facts. It's certainly unusual that the daughter of one of the heads of Microsoft's P.R. agency would write a book discussing Microsoft's abusiveness in detail.