MySpace and GoDaddy Shut Down Security Site

Several readers wrote in with a CNET report that raises novel free-speech questions. MySpace asked GoDaddy to pull the plug on Seclists.org, a site run by Fyodor Vaskovich, the father of nmap. The site hosts a quarter million pages of mailing-list archives and the like. MySpace did not obtain a court order or, apparently, compose a DMCA takedown notice: it simply asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords, and GoDaddy complied. Fyodor says the takedown happened without prior notice. The site was unavailable for about seven hours until he found out what was happening and removed the offending posting. The CNET article concludes: "When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'"

Case-by-case basis...

in case it would be bad for our PR, then no, in case it would be good for our PR, then yes, we take the site down. /sarcasm?

Re:Case-by-case basis...

Interestingly enough, the action would turn out to be good for http://www.seclists.org/ [seclists.org] too as thousands of people are going to check that website after reading this story on Slashdot (I know I did).

Re:Case-by-case basis...

The problem is that whatever the cause, this was bad for GoDaddy's PR, and Slashdot users should let them know.

I'd suggest that everyone here who is disgusted with this action, especially those who have domains registered with GoDaddy, email GoDaddy public relations [mailto] and/or email their domain registration support [godaddy.com].

Just as an example, here is what I sent:

Regarding the recent action GoDaddy took against Seclists.org, I want to know just *why* I should keep my domains at GoDaddy, and not transfer to somebody who shows some respect for their customers.

I find it disgraceful that GoDaddy would bend over when somebody like MySpace pushes a little. How can I now know that my domains are safe from being shut down on a whim? By not following any meaningful procedure to resolve the conflict, you have caused myself and many others to loose any faith we had with you as a registrar.

When my domains expire in a few months, I will be transferring them to another registrar unless GoDaddy publicly apologizes to Fyodor Vaskovich, the owner of Seclists.org. In addition, he should also receive some compensation for his trouble, such as a free three-year renewal for all his domains.

See http://it.slashdot.org/article.pl?sid=07/01/26/154 2218 [slashdot.org] for more information and more customer responses.

Maybe if they get hit hard enough, somebody over there--maybe even ol' Bobby Parsons (does anyone know his email address?)--will figure out that companies can't pull this kind of crap anymore without repercussions.

Re:Case-by-case basis...

I am currently looking to transfer my 14 domain names from GoDaddy because of this action by them. I have e-mailed them and informed them of this.

PGA www.randomlogic.com

Re:Case-by-case basis...

I, like you, e-mailed them to complain about this. I got the following reply:

I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc

This, I guess, seems fair enough. Maybe its MySpace that are in the wrong? Surely the domain registrar should be a last resort for abuse and the website owner a first?

joker.com or any non-us registrar.

people -- if you dont like the DMCA or U.S registrars instead of whining about it simply switch to joker.com (it switzerland) or ghandi (in france) or any of the non-U.S. based registrars out there. They will take your credit cards and a currency coversion is handled automatically. if you dont like it -- SWITCH. vote with your wallet. eventually U.S. based registrars WILL GET IT. SALES depts will kick their asses until they do.

GoDaddy Response

I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc Abuse@GoDaddy.com

Re:GoDaddy Response

An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. In an ideal world, parents would keep tabs on their children's Internet usage and educate them on how to avoid being taken advantage of or hurt. I find it shameful that parents choose to blame others (like ISPs) for the consequences of their neglect. "Think of the children" is the pitiful argument used by people without other valid arguments for placing restrictions on the free flow of information. I don't have any domains hosted by GoDaddy, but you can be sure that you have lost another potential customer.

Re:GoDaddy Response

The last few sentences of this post can be summarised in a much clearer fashion:

"Think of the children!"

Re:GoDaddy Response

As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. I

That's not your damn job! You are a registrar. If you take it upon yourself to police the contents of the sites in your registry, what happens when you get sud for failing to do so? Go do your job and stop trying to police things that are none of your business.

Re:GoDaddy Response

1. It is not your job to keep the Internet safe, your job is to keep a domain. You will be ordered to take a domain down with a court order.

2. That list of MySpace users is available at several full-disclosure lists. Taking down SecLists.org doesn't change anything.

3. Your customer has e-mail logs to prove his side of the story. Do you?

Re:GoDaddy Response

Please allow me to put this in a few words:

This is not your place.

It is the job of the police and courts to enforce the law, not you. It is the job of parents to protect their children, not you. You are a registrar. Your job is to ensure that your customers' sites are accessible. Your job is not to judge that site's content. If someone thinks the site should be shut down, that person or organization can go get a proper court order. Until that time, you and your company are out of line in even considering a request to take down a site unilaterally.

I have several domain name registrations coming up. I can assure you, those registrations will not be with your company, absent a public apology and an assurance that this will never happen again except upon a valid court order, and I will ensure that everyone I know who may register a domain is made well aware of this incident. Unless your position is quickly reversed, you stand to lose quite a bit of business.

Overkill

Let's see... one page out of 250,000 on a site turns out to have content that could compromise security at another site. So MySpace contacts the registrar, and gets the entire site shut down?

That's like using a hand grenade to swat a fly.

The logical way to go about this is as follows:

1. Contact the site maintainer and convince them them to take the page down.
2. If that fails, contact the hosting provider, and convince them to take the page down. (Just the page, not the whole site.)
3. If that fails, and only then, contact the registrar and convince them to suspend the site.

Myspace should not have even contacted GoDaddy until they took the first two steps. And once GoDaddy was contacted, they should have done more investigation, which would have made it clear that they were looking at one page out of a quarter million... at which point they should have either told MySpace to contact the host, or done it themselves.

Even if, after all these steps, GoDaddy still decided to suspend the registration, they should have contacted him first: remove this page or we'll have to disable your site. Failing that, they should have told him why it was being suspended (beyond the vague reference to TOS abuse) and how he could resolve it.

Disabling the entire site with (apparently) minimal investigation is overreaction, plain and simple. That quote from Jones, where they refused to rule out taking down an entire news site to block access to one story -- or even one comment -- is telling.

Re:Overkill

Let's post some usernames and passwords on MySpace and ask for their domain to be taken down. It only sounds fair.

Re:Overkill

Sounds great, You start by posting yours.

Netsol

Let's post some usernames and passwords on MySpace and ask for their domain to be taken down. It only sounds fair.

Eh, they use Network Solutions as their registrar - good luck getting anything done there.

Good concept, though.

Overkill is an understatement

It should be downright bloody illegal to do what Godaddy did. Or if not illegal, it should have serious repecussions for them as a registrar up to the point of dropping their registrar status.

Besides, Myspace's effort was entirely useless. Those usernames/passwords were already compromised, Fjodor's site was just one that had it from the many places it can be found. The sensible thing would have been a forced password reset for the users involved not trying to coerce a registrar.

My position is that unless a legal, court ordered action is forced on the registrar, it should be forbidden to drop anything. And in the case there is content that shouldn't be public on the site, that is a _hosting_ issue not a domain issue. Go bugger the hosting company with legal documents.

Re:Overkill is an understatement

GoDaddy's been doing this for a long time. They suspended one of my business domains based on a single complaint by some random guy, then charged me $200 to allow me to transfer the domain to another registrar. Extortion? Yeah. Against ICANNs rules? Yeah. Do they get away with it? Yeah.

Then again, i called mastercard and told them i didn't authorize that charge, so they didn't get that $200 from me.

Re:Overkill

0) Take responsibility for your security being laughable, fire the people responsible, and secure your own shit before flinging it at others?

Hmmm.......

Case by case basis

In other words, "We have no backbone. We obey power. You have none. MySpace does. Any questions?"

Re:Case by case basis

""We have no backbone. We obey power."

So we should change the name to "YesDaddy".

HERE IS A LINK FROM GOOGLE : FULL LIST

http://archives.neohapsis.com/archives/fulldisclos ure/2007-01/0282.html [neohapsis.com]

now please shut down google?

oh I see, they are corporate and fydor is the little guy, I forgot!!!

Myspace is the new AOL

In the linked article Fyodor calls MySpace the "new AOL." I can see it. It certainly seems to encourage people to throw all caution to the wind.

As to what MySpace did, I'm honestly surprised how incredibly angry that makes me. I thought I was jaded by the petulance of businesses at this point. And Godaddy's response -- geez. I don't understand how a business can take your money and then refuse to talk to you.

Well, no -- I understand how they can do it. I understand it perfectly well. They do it because they figure they can get away with it, because even if they piss off one customer, how are the rest ever going to find out? Or care?

Re:Myspace is the new AOL

The ultimate blame in this case falls on GoDaddy for pulling the trigger. They should have told myspace "not our problem and you don't have the authority to ask for this action andyway. Get a court order."

I have a few domains registered with godaddy at the moment. In about an hour, they no longer will be, with a letter to their CEO (US Mail) saying why.

GoDaddy is now known as GoAwayDaddy in my book.

GoDaddy probably complied...

....because Rupert Murdoch would have just bought them and fired the people who questioned whether NewsCorp has the right to restrict freedom of information.

And, by the way, I hope GoDaddy's reading this. I'm moving my domains away from you because of your lackadaisical approach to our constitutional rights.

domain registrar neutrality

Domain registrars should remain neutral in content disputes. Quis custodies ipsos custodes?

Legal Implications?

IANAL but wouldn't the site owner have some serious legal ammunition against both MySpace and GoDaddy?

This seems to me to be an issue for the courts, not an IT department.

How timely

I'm about to move my website from one host to another because my current shared hosting company (Netactuate, formerly VR Hosted) is falling down on their ass. I haven't even been able to load my cpanel this morning, and I tried two different connections - but their front page loads in a snap. I only jumped on them because of the gentoo hosting special but lunarpages is 2/3 the price of the discounted rate... I get 5GB and lunar gives 250GB, I get 200GB of transfer or something like that (I can't even load the cpanel to see what my quota is) and lunarpages gives 2.5 TB. I'll miss the shell access, but I can live without. Anyway, the moral of this story is that I think I'll take advantage of this moment to transfer my domain registration from godaddy to another registrar. Anyone have any recommendations?

not an intelligent move..

The LAST thing in the world i would want to do as a registrar, or ANY web based business for that matter, is to piss off a bunch of hackers. I think karma might prevail on this one.

the next few thousand registered usernames:

The next few thousand registered usernames on myspace will strangely resemble something like:

';DROP database;select * from x where '=
';DROP database;--
...
\';\'\';DROP database;--

It is very strange indeed.

Impressively retarded

So, anyone have any recommendations for less-retarded registrars which might actually deserve my money?

Big surprise.

You get what you pay for with GoDaddy. I certainly wouldn't expect them to take my side in a dispute with MySpace, News Corp, or, frankly, anyone with a significant number of lawyers on their side.

Providers, by and large, will cave to any request from a big company...Hell there was an article about it here a few days ago, that linked the BoF Experiment [www.bof.nl] where they posted a public domain work on 10 different places, and then sent DMCA takedown notices to all 10 places, and had 7 remove it immediately even though it was clearly marked as public domain.

Face it; a hosting site that will stick up for it's customers against a significant threat from a big company is hard as hell to find, and sure as hell GoDaddy isn't going to do it for 10 bucks a month.

Unconscionable

1. Unconscionable: How I feel about this whole matter. Completely unconscionable that GoDaddy could or WOULD do anything like this.

2. 142: The number of domains I have registered with GoDaddy.

3. $1500: Roughly the annual amount I pay for my domains to renew them each year.

4. 48: The number of hours I have allotted myself this weekend to transfer each and every one of them AWAY from GoDaddy to someplace like NameCheap.com or DomainMonitor. Haven't decided yet.

5. True: Boolean value for whether or not I am pissed-off.

6. Very Much: The level of item 5, above's, value.

Re:Unconscionable

5. True: Boolean value for whether or not I am pissed-off.
6. Very Much: The level of item 5, above's, value.

Where did you learn the meaning of the word boolean?

Pulling my sites

I've sent email to GoDaddy's customer relations department asking for clarification of this, stating that I'm going to be pulling my personal sites (hosted there) and all domains (and my company's 350+ domains (no, we're not squatters..)). If this turns out to be true, and can't clarify their position on when they might arbitrarily pull sites based on nothing but a request other than "when we feel like it" EVERYONE should get the hell out of Dodge, as they obviously are responsible business partners. Waiting for my rely, which will probably never come.

I've said it before and I'll say it again...

GoDaddy can GoFuckThemselves

RTFA people, it was an archive

Everyone who is asking "WTF why do they even have the list?!" needs to go back and read the seclists.org list. It is an archive of a mailing list post, one which tens or hundreds of sites probably also have archived.

I believe MySpace and GoDaddy are both to blame here for reasons that any sensical person can see. I think I'll be looking for a new registrar now.

I see a giant drop in revenue for GoDaddy

I see a lot of slashdot readers pulling their domains to another registrar. I don't know if any are better, but at least there have to be some that haven't already taken these draconian messures.

I have a few domains up for renewal, and was considering GoDaddy. Not any more. I am sure slashot readers must control the registration of several million domains.

I hope this publicity shows as a giant drop on their revenue graph.

Was looking for a registrar....

I was looking at GoDaddy's page last night and was considering doing business with them. Then I came across this story: GoDaddy, the domain registrar (not the webhost) pulls someone's domain registration (not the website) without notice, process, or warning to the customer just because some large company requested it. The real-life equivalent would be the sheriff coming and evicting you from your home because someone made a noise complaint.

GoDaddy and the DMCA...

I have a dedicated server hosted by GoDaddy, and a few days before Christmas got an automated DMCA takedown request for something a