MySpace and GoDaddy Shut Down Security Site

Several readers wrote in with a CNET report that raises novel free-speech questions. MySpace asked GoDaddy to pull the plug on Seclists.org, a site run by Fyodor Vaskovich, the father of nmap. The site hosts a quarter million pages of mailing-list archives and the like. MySpace did not obtain a court order or, apparently, compose a DMCA takedown notice: it simply asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords, and GoDaddy complied. Fyodor says the takedown happened without prior notice. The site was unavailable for about seven hours until he found out what was happening and removed the offending posting. The CNET article concludes: "When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'"

Case-by-case basis...

[192939495969798999]

in case it would be bad for our PR, then no, in case it would be good for our PR, then yes, we take the site down. /sarcasm?

Re:Case-by-case basis...

[namityadav]

Interestingly enough, the action would turn out to be good for http://www.seclists.org/ [seclists.org] too as thousands of people are going to check that website after reading this story on Slashdot (I know I did).

Re:Case-by-case basis...

[nmb3000]

The problem is that whatever the cause, this was bad for GoDaddy's PR, and Slashdot users should let them know.

I'd suggest that everyone here who is disgusted with this action, especially those who have domains registered with GoDaddy, email GoDaddy public relations [mailto] and/or email their domain registration support [godaddy.com].

Just as an example, here is what I sent:

Regarding the recent action GoDaddy took against Seclists.org, I want to know just *why* I should keep my domains at GoDaddy, and not transfer to somebody who shows some respect for their customers.

I find it disgraceful that GoDaddy would bend over when somebody like MySpace pushes a little. How can I now know that my domains are safe from being shut down on a whim? By not following any meaningful procedure to resolve the conflict, you have caused myself and many others to loose any faith we had with you as a registrar.

When my domains expire in a few months, I will be transferring them to another registrar unless GoDaddy publicly apologizes to Fyodor Vaskovich, the owner of Seclists.org. In addition, he should also receive some compensation for his trouble, such as a free three-year renewal for all his domains.

See http://it.slashdot.org/article.pl?sid=07/01/26/154 2218 [slashdot.org] for more information and more customer responses.

Maybe if they get hit hard enough, somebody over there--maybe even ol' Bobby Parsons (does anyone know his email address?)--will figure out that companies can't pull this kind of crap anymore without repercussions.

Re:Case-by-case basis...

[Rohan427]

I am currently looking to transfer my 14 domain names from GoDaddy because of this action by them. I have e-mailed them and informed them of this.

PGA www.randomlogic.com

Re:Case-by-case basis...

[thedeath319]

I, like you, e-mailed them to complain about this. I got the following reply:

I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc

This, I guess, seems fair enough. Maybe its MySpace that are in the wrong? Surely the domain registrar should be a last resort for abuse and the website owner a first?

Re: The "Preventing Child Exploitation" Exuse

[some guy I know]

An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it.

When someone uses the "Won't somebody think of the children?" argument to justify his/her actions, check your freedom wallet; some of your rights may be missing.
It's time that those in power, whether governments or large corporations, stopped using this argument (along with the "If we don't curtail some of your rights, the terrorists have already won.") to just

Re:

[brassman]

DO NOT wait until "[your] domains expire in a few months" -- I keep hearing from people who do that, and because the domain is within 30 (or even 60!) days of expiration, their old registrar refuses to transfer until they sign up for another year of service.

Any reputable domain registrar will give you credit for all the remaining time on your current registration. You lose nothing by transferring.

Don't put it off. Do it today.

joker.com or any non-us registrar.

[Zurk]

people -- if you dont like the DMCA or U.S registrars instead of whining about it simply switch to joker.com (it switzerland) or ghandi (in france) or any of the non-U.S. based registrars out there. They will take your credit cards and a currency coversion is handled automatically. if you dont like it -- SWITCH. vote with your wallet. eventually U.S. based registrars WILL GET IT. SALES depts will kick their asses until they do.

For better searching

[Beryllium Sphere(tm)]

The French registrar is Gandi, as opposed to Ghandi. This is meant to assist people in finding them and is not intended as a spelling flame.

GoDaddy Response

[godaddyabuse]

I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc Abuse@GoDaddy.com

Re:GoDaddy Response

[spitefulcrow]

An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. In an ideal world, parents would keep tabs on their children's Internet usage and educate them on how to avoid being taken advantage of or hurt. I find it shameful that parents choose to blame others (like ISPs) for the consequences of their neglect. "Think of the children" is the pitiful argument used by people without other valid arguments for placing restrictions on the free flow of information. I don't have any domains hosted by GoDaddy, but you can be sure that you have lost another potential customer.

Re:GoDaddy Response

[MooUK]

The last few sentences of this post can be summarised in a much clearer fashion:

"Think of the children!"

Re:GoDaddy Response

[Fulcrum of Evil]

As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. I

That's not your damn job! You are a registrar. If you take it upon yourself to police the contents of the sites in your registry, what happens when you get sud for failing to do so? Go do your job and stop trying to police things that are none of your business.

Re:GoDaddy Response

[Walter Carver]

1. It is not your job to keep the Internet safe, your job is to keep a domain. You will be ordered to take a domain down with a court order.

2. That list of MySpace users is available at several full-disclosure lists. Taking down SecLists.org doesn't change anything.

3. Your customer has e-mail logs to prove his side of the story. Do you?

Re:

[mr_walrus]

the end never justifies the means.
in the name of child-abuse let us just simply suspend all rights and freedoms.

unless/until you get a properly legal document requesting a shutdown, JUST SAY NO.
and exactly what did you do to confirm the identity of whoever made the request?

how do you avoid denial-of-service attacks by the people making a take-down request
actually being the same ones who posted inappropriate things at a site?

eeeeesh.
there is no justifcation. period.

my own eight domains at godaddy will be tra

Re:

[Bill, Shooter of Bul]

Oh, godaddy cares about the children?!?

Thats godaddy.com maker of the sexist demeaning superbowl commercals? Durring the most watched game, you put on a terrible commercial every year that sends a terrable message to children. I think CBS should reject all of your commercials and Icann reject your status! You don't give a rats ass about "the children". If I had any domains there, I would move them as well. But, it appears I was too smart to use you in the first place. have a good time burning in hell.

You and Bob Parsons *work for me*, not MySpace

[BillGatesLoveChild]

I am a Godaddy customer and I'm not happy with this. Not one bit. It isn't *your* job to enforce Internet safety. It's your job to look after the domain names of your customers. Get that straight: I pay *your* salary. You and Bob Parsons work for *me and all your other customers*. I really resent the idea that some corporation can say right words to you, and shut down my web site. You're my domain shop. You are not my Priest, Lawyer or Moral Guardian. If MySpace want to shut something down, make them go

Re:GoDaddy Response

[laughingcoyote]

Please allow me to put this in a few words:

This is not your place.

It is the job of the police and courts to enforce the law, not you. It is the job of parents to protect their children, not you. You are a registrar. Your job is to ensure that your customers' sites are accessible. Your job is not to judge that site's content. If someone thinks the site should be shut down, that person or organization can go get a proper court order. Until that time, you and your company are out of line in even considering a request to take down a site unilaterally.

I have several domain name registrations coming up. I can assure you, those registrations will not be with your company, absent a public apology and an assurance that this will never happen again except upon a valid court order, and I will ensure that everyone I know who may register a domain is made well aware of this incident. Unless your position is quickly reversed, you stand to lose quite a bit of business.

Re:

[Decius6i5]

As a GoDaddy customer who hosts an open discussion site on a domain that is registered with GoDaddy, I am troubled by the mishandling of this incident. Frankly, I look at this as a substantial risk to the stability of my website, and I am now contemplating a transition to a new registrar.

I'm assuming that this account and response were actually posted by GoDaddy. If so, I'm glad you've decided to address this matter, but unforunately, you haven't gone far enough. Your handling of the matter was irrespons

Overkill

[Kelson]

Let's see... one page out of 250,000 on a site turns out to have content that could compromise security at another site. So MySpace contacts the registrar, and gets the entire site shut down?

That's like using a hand grenade to swat a fly.

The logical way to go about this is as follows:

1. Contact the site maintainer and convince them them to take the page down.
2. If that fails, contact the hosting provider, and convince them to take the page down. (Just the page, not the whole site.)
3. If that fails, and only then, contact the registrar and convince them to suspend the site.

Myspace should not have even contacted GoDaddy until they took the first two steps. And once GoDaddy was contacted, they should have done more investigation, which would have made it clear that they were looking at one page out of a quarter million... at which point they should have either told MySpace to contact the host, or done it themselves.

Even if, after all these steps, GoDaddy still decided to suspend the registration, they should have contacted him first: remove this page or we'll have to disable your site. Failing that, they should have told him why it was being suspended (beyond the vague reference to TOS abuse) and how he could resolve it.

Disabling the entire site with (apparently) minimal investigation is overreaction, plain and simple. That quote from Jones, where they refused to rule out taking down an entire news site to block access to one story -- or even one comment -- is telling.

Re:

[bladesjester]

From a lot of the stories that I've heard, this seems to be par for the course for GoDaddy. They've also supposedly been known to basically hold domain names hostage when people want to change services.

It's one of the big reasons that I don't register domain names through them.

Re:

[udderly]

It's one of the big reasons that I don't register domain names through them.

But what about the godaddy girl? [google.com].

Re:Overkill

[DBCubix]

Let's post some usernames and passwords on MySpace and ask for their domain to be taken down. It only sounds fair.

Re:Overkill

[Dimentox]

Sounds great, You start by posting yours.

Netsol

[bill_mcgonigle]

Let's post some usernames and passwords on MySpace and ask for their domain to be taken down. It only sounds fair.

Eh, they use Network Solutions as their registrar - good luck getting anything done there.

Good concept, though.

Re:

[Dimentox]

Your post contains information that could hurt the DMCA, Please shut down /. your compliance is manditory. :P (DMCA is Easilly abused.. hince Anshee Chung)

Re:

[SatanicPuppy]

Why would they bother when they know GoDaddy will cave in a second? Send an email to a guy who runs a security site, and he'll tell you where to shove it...Not like he didn't know that MySpace would object to that information being public!

Unless your web hosting company is willing to go to bat for you, you'll never, ever, hear from a company like MySpace before your site is taken off line.

Overkill is an understatement

[A beautiful mind]

It should be downright bloody illegal to do what Godaddy did. Or if not illegal, it should have serious repecussions for them as a registrar up to the point of dropping their registrar status.

Besides, Myspace's effort was entirely useless. Those usernames/passwords were already compromised, Fjodor's site was just one that had it from the many places it can be found. The sensible thing would have been a forced password reset for the users involved not trying to coerce a registrar.

My position is that unless a legal, court ordered action is forced on the registrar, it should be forbidden to drop anything. And in the case there is content that shouldn't be public on the site, that is a _hosting_ issue not a domain issue. Go bugger the hosting company with legal documents.

Re:

[Hes Nikke]

Or if not illegal, it should have serious repecussions for them as a registrar up to the point of dropping their registrar status.

serious repecussions[sic]: I along with every other slashdotter who RTFS [S=summary] will no longer be using GoDaddy. personally, i'm going to transfer my domains to some other host as soon as i can afford to do it.

And in the case there is content that shouldn't be public on the site, that is a _hosting_ issue not a domain issue.

GoDaddy does hosting as well... are you sure that

Re:Overkill is an understatement

[neoform]

GoDaddy's been doing this for a long time. They suspended one of my business domains based on a single complaint by some random guy, then charged me $200 to allow me to transfer the domain to another registrar. Extortion? Yeah. Against ICANNs rules? Yeah. Do they get away with it? Yeah.

Then again, i called mastercard and told them i didn't authorize that charge, so they didn't get that $200 from me.

Re:

[theshowmecanuck]

What if it was credit card information. The time it takes to contact the site owner could result in millions of dollars of theft. On a case by case basis, it makes sense to do this. Sometimes time is what they don't have. Given the high profile MySpace has received around predictors etc, maybe they felt it was prudent to do this. Granted I might not like it if it happened to me, but at the same time, it is understandable. I am all for free information, as long as it doesn't open things up to the crimi

Re:

[theshowmecanuck]

s/predictors/predators/
...should have put my glasses on when proofreading this

Re:

[moranar]

What if they were califlowers? Or Polonium 290? Or Nigerian scam letters? What's that got to do with this situation? Even if they were credit card numbers and data, they're already on the wild and phished, the person who posted them on the seclists forum has the data anyway. Nuking domains isn't the solution to that problem.

mass market effect

[Speare]

I completely agree 100% with all that you said. I also know that it would never happen.

Companies that are at the size and scale that allows them to say, in a condescending voice, "we're the world's largest X" in the span of a simple phone conversation, are completely incapable of the approach that you gave.

Personal, manual, coordinated investigation for a case involving 0.001% of your business? No frickin' way. There's probably 50 such cases every day, if not every hour. The order of the day is to

Re:

[daeg]

In this case, all of those fly in the face of what MySpace should have done.

MySpace should have invalidated all the usernames and passwords found in the list and notified those with compromised accounts that they need to change their password and alert them that they were compromised. Or just delete the profiles entirely, as they've probably already been compromised and filled with links to V!@Gr@ websites.

MySpace could even then use the list of passwords to detect hacking attempts and use it to improve the

Re:

[sorak]

Disabling the entire site with (apparently) minimal investigation is overreaction, plain and simple. That quote from Jones, where they refused to rule out taking down an entire news site to block access to one story -- or even one comment -- is telling.

Wow, you interpretted that quote completely different from most of us. (I assume) that most of us interpretted it as "We reserve the right to screw our customers, as long as screwing that particular customer is the most convenient course of action for us"

Re:

[Kelson]

No, I interpreted it the same way you did: They reserved the right to take the same action again.

Re:

[lazlo]

It could be worse. They could have contacted ICANN and said "We know that someone is hosting a bunch of compromised usernames and passwords somewhere in the .org hierarchy. Could you please remove that TLD?"

I mean, yeah, it sounds unlikely, but... what if it worked?

Re:Overkill

[Scott Lockwood]

0) Take responsibility for your security being laughable, fire the people responsible, and secure your own shit before flinging it at others?

Hmmm.......

Re:

[AutopsyReport]

... And I'm certain you'd be saying the same thing if your bank or credit card agency had a security flaw in its system and your privacy was at stake. Wouldn't you want them to correct the situation asap?

Are you forgetting that, although the public thinks its just a MySpace account, many of those users probably have the same password for many other websites, programs, etc.

Re:

[Bill_the_Engineer]

I would take both actions... Firing incompetent security personel and closing down a website is not mutually exclusive.

Real-world analogy

[Kelson]

Sounds like the best solution of them all! You get the problem solved without going through the two previous steps -- and the problem is solved much faster.

OK. Let's take a real-world analogy. You're trying to capture a criminal suspect who lives in a town of 250,000. You know his name. You know where he lives. You know he's at home. Do you:

A. Send police to his home and arrest him?
B. Place the entire city under house arrest, saving you the trouble of sending that squad car?

Re:

[AutopsyReport]

Bad example because GoDaddy was essentially acting like the police, taking the 'criminal' down without affecting any nearby citizens. They didn't place a chokehold on the Internet to shut down the website.

And even if you put the city under house-arrest, as you say, you still have to send the police in. So your analogy really doesn't apply here.

Case by case basis

[popo]

In other words, "We have no backbone. We obey power. You have none. MySpace does. Any questions?"

Re:Case by case basis

[Original Replica]

""We have no backbone. We obey power."

So we should change the name to "YesDaddy".

HERE IS A LINK FROM GOOGLE : FULL LIST

[Anonymous Coward]

http://archives.neohapsis.com/archives/fulldisclos ure/2007-01/0282.html [neohapsis.com]

now please shut down google?

oh I see, they are corporate and fydor is the little guy, I forgot!!!

Re:

[bill_mcgonigle]

oh I see, they are corporate and fydor is the little guy, I forgot!!!

Hey, it's not like a corporation in modern America has all of the rights of a citizen, is incredibly wealthy, is immortal, can't be jailed, has an infinite amount of man-hours, and can only be prosecuted monetarily. Oh, wait.

I can't believe nobody is ranting about Rupert Murdoch here yet.

Myspace is the new AOL

[brennanw]

In the linked article Fyodor calls MySpace the "new AOL." I can see it. It certainly seems to encourage people to throw all caution to the wind.

As to what MySpace did, I'm honestly surprised how incredibly angry that makes me. I thought I was jaded by the petulance of businesses at this point. And Godaddy's response -- geez. I don't understand how a business can take your money and then refuse to talk to you.

Well, no -- I understand how they can do it. I understand it perfectly well. They do it because they figure they can get away with it, because even if they piss off one customer, how are the rest ever going to find out? Or care?

Re:Myspace is the new AOL

[walt-sjc]

The ultimate blame in this case falls on GoDaddy for pulling the trigger. They should have told myspace "not our problem and you don't have the authority to ask for this action andyway. Get a court order."

I have a few domains registered with godaddy at the moment. In about an hour, they no longer will be, with a letter to their CEO (US Mail) saying why.

GoDaddy is now known as GoAwayDaddy in my book.

I think you're right...

[brennanw]

... when I think about it more, what MySpace did was reprehensible but it's really the standard level of reprehensible I've come to expect from companies that grow more sociopathic the more successful they become. But GoDaddy pulled the plug and gave their paying customer no way of trying to resolve the problem -- he had to force the issue on his own. That leaves a really sour taste in my mouth. It almost makes me wish I had domains registered there just so I could transfer them.

GoDaddy probably complied...

[mhazen]

....because Rupert Murdoch would have just bought them and fired the people who questioned whether NewsCorp has the right to restrict freedom of information.

And, by the way, I hope GoDaddy's reading this. I'm moving my domains away from you because of your lackadaisical approach to our constitutional rights.

Constitutional Rights

[brennanw]

do not apply to your business relationship with a registrar.

That said, Godaddy acted irresponsibly and their reaction to the whole thing guarantee I'll never consider them if I want to register a domain. ... not that I need any more. Six is probably too much as it is...

Re:

[pla]

Constitutional Rights do not apply to your business relationship with a registrar.

From whom do the registrars derive their power?

IANAL(BIRGL), but I'd bet that, with big enough players involved (Google vs Fox, for example), a good lawyer could make a case that the registrar, in its capacity as an outsourced agent of the US Government, has some degree of obligation to obey the first amendment.

Re:

[Kelson]

do not apply to your business relationship with a registrar.

That's right, the Constitution doesn't actually say you have a right to freedom of speech, only that Congress can't make a law abridging it. Wait, why does this sound familiar [slashdot.org]?

You misunderstand...

[brennanw]

the Constitution only applies to the relationship between a citizen and the government. The Government can't take action to supress my free speech (well, obviously it can -- but it shouldn't be able to) -- but these rights can be almost nonexistant when it comes to business relationships. For example, I can't say anything I like in a privately owned building on the grounds that I have free speech -- when I'm on private property, my right to free speech is drastically weakened.

A webhost is also not bound by

Re:

[rajafarian]

I'm moving my domains away from you...

Me, too. Who are you going with?

Re:

[networkBoy]

I'm using e-nom(domain) and pagesgarden(previous domain and current host). In both cases I have had my host stand up to BS letters from lawyers (see link in sig). When I moved my domain from Pagesgarden to e-nom I told them I wanted a blinded whois. They happily transferred the domain reg and even helped me with the transition to ensure minimal exposure to downtime.

Two thumbs up to both.
-nB

domain registrar neutrality

[Anonymous Coward]

Domain registrars should remain neutral in content disputes. Quis custodies ipsos custodes?

Legal Implications?

[popo]

IANAL but wouldn't the site owner have some serious legal ammunition against both MySpace and GoDaddy?

This seems to me to be an issue for the courts, not an IT department.

How timely

[drinkypoo]

I'm about to move my website from one host to another because my current shared hosting company (Netactuate, formerly VR Hosted) is falling down on their ass. I haven't even been able to load my cpanel this morning, and I tried two different connections - but their front page loads in a snap. I only jumped on them because of the gentoo hosting special but lunarpages is 2/3 the price of the discounted rate... I get 5GB and lunar gives 250GB, I get 200GB of transfer or something like that (I can't even load the cpanel to see what my quota is) and lunarpages gives 2.5 TB. I'll miss the shell access, but I can live without. Anyway, the moral of this story is that I think I'll take advantage of this moment to transfer my domain registration from godaddy to another registrar. Anyone have any recommendations?

Re:

[PitaBred]

dreamhost? They aren't a registrar, but they're a great host

Re:

[skiingyac]

actually they are a registrar, but only for com/net/org

Re:

[drinkypoo]

I said registrar, not web host. I have already picked a webhost - lunarpages. I set up someone else's website on their service and while the lack of a shell is an annoyance, the fact that they actually have everything else I want (including imagemagick) AND they provide the ABSOLUTE best ratio of price to disk space and monthly transfer more than makes up for it.

Re:

[TheLink]

There are registrars outside US jurisdiction e.g www.gandi.net and joker.com.

While this means you should be careful on the terms and conditions and check their track records (so far I've used gandi before and they seem ok, I don't know much about joker), it means companies in other countries will have to work a bit harder to take down your domain.

Of course, if you use Gandi and do something that annoyed the French Gov, they might be able to force Gandi to pull your domain.

Re:

[SatanicPuppy]

I will reply to this post to make the meta-post chain complete (a reply to a post about a post that was a reply to a post of mine).

I myself have had a lot of issues with GoDaddy, and I can't help but be surprised at the people who are acting so shocked. It's cheap webhosting. They don't give a damn about individual customers, and they don't have a great reputation.

Getting a good webhost is hard. You have to be willing to move around a lot, and to pay more than 8 bucks a month.

not an intelligent move..

[sanimalp]

The LAST thing in the world i would want to do as a registrar, or ANY web based business for that matter, is to piss off a bunch of hackers. I think karma might prevail on this one.

the next few thousand registered usernames:

[A beautiful mind]

The next few thousand registered usernames on myspace will strangely resemble something like:

';DROP database;select * from x where '=
';DROP database;--
...
\';\'\';DROP database;--

It is very strange indeed.

Impressively retarded

[Klowner]

So, anyone have any recommendations for less-retarded registrars which might actually deserve my money?

Time to remove my registrations from GoDaddy...

[ScooterBill]

I can definitely say that I would be upset if my registrar simply shut down my site because "someone else" didn't like it.

There are proper ways of fixing these things.

Big surprise.

[SatanicPuppy]

You get what you pay for with GoDaddy. I certainly wouldn't expect them to take my side in a dispute with MySpace, News Corp, or, frankly, anyone with a significant number of lawyers on their side.

Providers, by and large, will cave to any request from a big company...Hell there was an article about it here a few days ago, that linked the BoF Experiment [www.bof.nl] where they posted a public domain work on 10 different places, and then sent DMCA takedown notices to all 10 places, and had 7 remove it immediately even though it was clearly marked as public domain.

Face it; a hosting site that will stick up for it's customers against a significant threat from a big company is hard as hell to find, and sure as hell GoDaddy isn't going to do it for 10 bucks a month.

Why where the passwords posted

[cyberkahn]

"remove a site that happened to archive a list of thousands of MySpace usernames and passwords"
Why where these posted on the site? Was this part of disclosure regarding a security issue that MySpace wasn't willing to address?

New Corporate Espionage method

[RyoShin]

1. Find a competiting business's website that is hosted by (or has their domain registered with) GoDaddy
2. Search for some location where user-submitted content my be posted (perhaps forums, or a shoutout box)
3. Post something that seems to be potentially "harmful" for their site security
4. Contact GoDaddy to take down the entire site
5. ??? (Case-by-case basis!)
6. PROFIT!

You know, GoDaddy keeps doing things that make me question whether I should keep my domains registered with them or not.

The other side is a very slippery slope as well

[frantzen]

For instance if the propogation of a large scale worm depended on the a server at www.example.com. There are two effective ways to stop the worm in it's tracks. One is to shut down the server at www.example.com. And the other is to pull the domain record. In such a situation most of us would advocate yanking both. I can't say that a registrar should never take action like this without a court order. But I don't believe this instance was jusitified.

Better domain registrars?

[mmurphy000]

Does anyone have any experience with domain registrars that would have handled this situation better than did GoDaddy? I'd love a registrar that's demonstrated that it strikes a better balance between "anything goes" and "you so much as look at us cross-eyed and we'll shut you down".

Unconscionable

[gellenburg]

1. Unconscionable: How I feel about this whole matter. Completely unconscionable that GoDaddy could or WOULD do anything like this.

2. 142: The number of domains I have registered with GoDaddy.

3. $1500: Roughly the annual amount I pay for my domains to renew them each year.

4. 48: The number of hours I have allotted myself this weekend to transfer each and every one of them AWAY from GoDaddy to someplace like NameCheap.com or DomainMonitor. Haven't decided yet.

5. True: Boolean value for whether or not I am pissed-off.

6. Very Much: The level of item 5, above's, value.

Re:

[Lord Ender]

7. With a Passion: The way I hate your writing style.

Re:Unconscionable

[Some guy named Chris]

5. True: Boolean value for whether or not I am pissed-off.
6. Very Much: The level of item 5, above's, value.

Where did you learn the meaning of the word boolean?

Pulling my sites

[All Names Have Been]

I've sent email to GoDaddy's customer relations department asking for clarification of this, stating that I'm going to be pulling my personal sites (hosted there) and all domains (and my company's 350+ domains (no, we're not squatters..)). If this turns out to be true, and can't clarify their position on when they might arbitrarily pull sites based on nothing but a request other than "when we feel like it" EVERYONE should get the hell out of Dodge, as they obviously are responsible business partners. Waiting for my rely, which will probably never come.

Probably reasonable

[S3D]

I have only 2 domains with GoDaddy, but if they will not provide explanation, I'll pull out too and will help spread the word. Just wouldn't be able trust them. What if they transfer ownership of my domain if someone ask them ? What if they charge my credit card for some insane amount of money just because they feel like it?

Re:

[TubeSteak]

if they will not provide explanation, I'll pull out too and will help spread the word. Just wouldn't be able trust them.

I thought it was rather obvious why GoDaddy dicked over SecList: MySpace is a big player on the internets & they get special treatement.

Serious question: What explanation from GoDaddy would satisfy you (or other /.ers), such that you continue giving them your business and would trust them? I would have thought the facts speak for themselves.

I've said it before and I'll say it again...

[pebs]

GoDaddy can GoFuckThemselves

Not a Freedom Of Speech Issue

[mpapet]

This is hardly a freedom of speech issue when the content in question is username/pwds. It would be if it were "billy-bob gates suckx and makes bad products..."

The more effective approach is to build the business case against choosing godaddy in the future. Nothing hurts them more than a shot in the pocketbook.

Personally, I question the wisdom of going with a company the size of godaddy to begin with. But that's me.

Re:

[bigtangringo]

Personally, I question the wisdom of going with a company the size of godaddy to begin with. But that's me.

Sorry? I certainly hope you're not implying they're small; because if that's the case you're terribly mistaken.

As of August 2006, they control 14.6 million domains and raked in over 15 million bucks in one quarter.

RTFA people, it was an archive

[FliesLikeABrick]

Everyone who is asking "WTF why do they even have the list?!" needs to go back and read the seclists.org list. It is an archive of a mailing list post, one which tens or hundreds of sites probably also have archived.

I believe MySpace and GoDaddy are both to blame here for reasons that any sensical person can see. I think I'll be looking for a new registrar now.

I see a giant drop in revenue for GoDaddy

[CharlieHedlin]

I see a lot of slashdot readers pulling their domains to another registrar. I don't know if any are better, but at least there have to be some that haven't already taken these draconian messures.

I have a few domains up for renewal, and was considering GoDaddy. Not any more. I am sure slashot readers must control the registration of several million domains.

I hope this publicity shows as a giant drop on their revenue graph.

Was looking for a registrar....

[mbstone]

I was looking at GoDaddy's page last night and was considering doing business with them. Then I came across this story: GoDaddy, the domain registrar (not the webhost) pulls someone's domain registration (not the website) without notice, process, or warning to the customer just because some large company requested it. The real-life equivalent would be the sheriff coming and evicting you from your home because someone made a noise complaint.

GoDaddy and the DMCA...

[netfunk]

I have a dedicated server hosted by GoDaddy, and a few days before Christmas got an automated DMCA takedown request for something allegedly on the server.

I got an email from GoDaddy saying "please take this down and respond that, under penalty of perjury, you did so."

I happened to be checking my email at this moment, 12:30 at night, so I looked into the issue and responded to the email that the issue was resolved.

The next morning, my server wasn't responding to pings. So I email again saying, "hey, I took care of the complaint before you unplugged my machine, can you, you know, plug it back in?"

Day goes by. Eventually I get a response:

"Thank you for your response to the Copyright Department. In order to reactivate the site in question we will need you to provide the following information in a single email response:

A. An electronic signature. (This can be a scanned copy of your physical signature, or as simple as typing your full name.)
B. Identification of the material in question.
C. A statement, under penalty of perjury, that the material has either been removed or will promptly be removed."

So I write back again, explaining the details. Again.

Day goes by. I call the tech support number and explain the situation. The tech support guy (who was very nice) told me he couldn't help, and I should try emailing the address I already had, twice. Sigh. I do it again.

Day goes by. I get the following response:

"Thank you for contacting the Copyright Claims Department. Unfortunately your previous email did not include a statment under penalty of perjury. Please submit a complete content removal statement at your earliest convenience to have your services reactivated. For your reference an example of a complete copyright removal statement is listed below.

I, John Doe, under penalty of perjury, will remove the offending content at http://www.mydomainname.com/myfile/page.htm [mydomainname.com] promptly after the reactivation of my services. /John Doe/
John Doe
(Please accept the above as an electronic signature.)"

Okay, great. I finally found the magic formula. I copy the template exactly and fill in my details, send it out.

Day goes by. I get this back:

"Thank you for your email. We appreciate your responsiveness and cooperation on this matter. We have re-activated the account and services associated with your site. As some services require some time for propagation to take full effect, please allow 1-2 hours for the changes to take effect."

Ok, progress, finally.

Day goes by.
Day goes by.

Server still isn't responding. I email tech support to see if there's a problem. They tell me to try using the automatic reboot request form on the web panel. Sure enough, the system responds within minutes.

So basically, they were really on top of that from every angle. In the week my server was unavailable, I arranged for hosting at one of their competitors, Dreamhost.com, who rocks quite a bit. Specifically because of this incident, I probably won't renew the GoDaddy contract when it expires, but I also wonder if I'm really safer at any other ISP in America.

It's partially a shame because I really was perfectly satisfied with GoDaddy's hosting before this incident, and they just flat out botched it. The server provides bandwidth offloading for my main site, so I could survive without it for a week, but I couldn't imagine someone trusting their business to GoDaddy if they can callously cut your oxygen for a week.

It's also a shame because the DMCA required GoDaddy to have a knee-jerk reaction in the first place. I was basically accused, tried, and convicted by my service provider without any evidence or chance to defend myself. They should be looking at this as bad for business in even well-handled situations, and recognize that the best thing to do is take

I worked for a large registrar

[guruevi]

I got those questions too from large and smaller sites, first line didn't know what to do. My response to those things:

Dear,

Please contact the owner of the domain for such matters. If you have any problems finding this, the information can be queried through the whois database. We do not comply with any request for take down unless signed by a judge in our LOCAL district court (the exact information for such procedures can be found in our legal notices on our website).

If you have any further questions, please contact your legal counsel or a legal counsel in our district to proceed.

Sincerely,

MyName

Usually I didn't get any further communication on this. We had a few times the police come in to 'take down' the server. We denied access to our datacenters and told them to take a hike. We also had a few times the police (detectives) to get an 'IP address' for a website (they heard you needed that somehow). We just wrote it down on a piece of paper and gave it to them, they must have thought it was like a package or device they were going to get to disable a site because they asked: What is that? An IP address. Is that it? Yes. Is the site down then? No. But we want it down! No, sorry, gotta get a court order AND a search warrant for our premises AND a search warrant for our clients premises (since the server is their premises).

Re:

[arootbeer]

The problem is reasonable. The response is not. There's a post above that illustrates the point, but this is the point.

Re:

[Zontar_Thing_From_Ve]

...asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords...

Sounds reasonable to me.

And me too, but we seem to have the minority opinion here. I love reading the justifications on why this is "evil" of GoDaddy to do this. Then again, what do you expect from Slashdot readers? Last week everyone was up in arms because the RIAA and a SWAT team arrested a guy for "making mix tapes" when in fact he was a bootlegger with over EIGHTY THOUSAND bootleg C

Re:

[remmelt]

The point is that Myspace, a large corp, asked Godaddy, another large corp, for the removal of a domain. The domain pointed to an ISP that hosted a site that had some passwords that are all over the internet. I am not saying Fyodor had a right to post those passwords (IANALetc but this sounds like a case of yelling fire in the cinema to me) but he didn't even have a chance to do anything about it. This all happened over his head, he wasn't notified. Myspace had no court order. Godaddy didn't have a legal or

Re:

[arodland]

"Massive spam attack"... wait, you can use MySpace for something else?

Re:

[necro2607]

I would imagine it was a list of phished emails/passwords which have all long-since been disabled or changed...

Login/password lists like these exist all over the net, just search Google a bit, but make sure you turn off the "English results only" option. ;)

Re:

[SatanicPuppy]

There was a list compiled by a bunch of phishers that made it into the open a few months ago...Lot of security guys were using it to do things like check for the average complexity of passwords among users and suchlike. The first link I found was on Google was the Tech Reads [cyber-knowledge.net] blog, dated 9/16/6 (mdy), so this is nothing new.

Ordering a takedown in pointless...I can't believe that those users weren't informed that they should change their passwords, and if they were, what's the problem?

Re:

[malkavian]

From even the text in the summary: It seems the editor of the forums was not present at the time, and somebody actually posted that in a public forum.
Once noticed (somebody told him the problem), he pulled the post.

Now, if that list was posted on Slashdot, would they pull that registration? If someone posted it on the BBC site, would they pull that?
Hell, it's probably cached in Google and a variety of other search engines. Are they going to pull those too?

You just creeped me out...

[rewt66]

I can actually see this happening. It's election day 2008, and Slashdot posts yet another story about how hackable Diebold voting machines are. Some election official goes ballistic, and asks Slashdot's ISP and/or registrar to knock them off the net for the rest of election day. One or the other complies.

Creepy.

Re:

[terrahertz]

GoDaddy was not hosting the site, they are the registrar for the domain name. As such they control DNS for seclists.org, and part of what they did was to change the nameserver from what it was supposed to be to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM, effectively preventing most people from accessing the site.

The IP in the A record for seclists.org is registered to "MEER NET," who is either hosting the site or reselling the hosting, and had nothing to do with what GoDaddy did.

Re:

[Electrum]

How exactly do you as the hosting provider handle such a thing? I believe GoDaddy did the right thing to a point.

GoDaddy was the domain registrar [wikipedia.org], not the hosting provider. There is a big difference. I would never use GoDaddy or any other domain registrar that would alter a registration without a court order.

Personally, I use directNIC [directnic.com] and Domain Contender [domaincontender.com].

Re:

[mrsbrisby]

I believe GoDaddy did the right thing to a point.

And that's why nobody hosts with you. GoDaddy isn't the police, nor the Law.

If someone sold you a stereo, then broke into your house and took it back, you'd call them a criminal. You wouldn't say they "did the right thing to the point", so besides the fact that GoDaddy sold virtual property, then broke into your virtual house and stole virtual property, how is this so different, it requires a completely different attitude?

Would you prefer your information be

Re:

[C_Kode]

In this case, why couldn't Myspace send Fyodor a letter asking for the content to be removed? Why didn't GoDaddy ask Myspace that question?

I don't think sending a letter to Fyodor was the answer. They had 250,000 compromised accounts. It wasn't the time to fire off a letter and sit and wait to see what happens. If you had a company and 250,000 accounts were compromised, I hope you would have been as assertive. It's not just important for your customers, it's important for your business as a whole.

Rememb