MySpace and GoDaddy Shut Down Security Site

Several readers wrote in with a CNET report that raises novel free-speech questions. MySpace asked GoDaddy to pull the plug on Seclists.org, a site run by Fyodor Vaskovich, the father of nmap. The site hosts a quarter million pages of mailing-list archives and the like. MySpace did not obtain a court order or, apparently, compose a DMCA takedown notice: it simply asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords, and GoDaddy complied. Fyodor says the takedown happened without prior notice. The site was unavailable for about seven hours until he found out what was happening and removed the offending posting. The CNET article concludes: "When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'"

Case-by-case basis...

[192939495969798999]

in case it would be bad for our PR, then no, in case it would be good for our PR, then yes, we take the site down. /sarcasm?

Overkill

[Kelson]

Let's see... one page out of 250,000 on a site turns out to have content that could compromise security at another site. So MySpace contacts the registrar, and gets the entire site shut down?

That's like using a hand grenade to swat a fly.

The logical way to go about this is as follows:

1. Contact the site maintainer and convince them them to take the page down.
2. If that fails, contact the hosting provider, and convince them to take the page down. (Just the page, not the whole site.)
3. If that fails, and only then, contact the registrar and convince them to suspend the site.

Myspace should not have even contacted GoDaddy until they took the first two steps. And once GoDaddy was contacted, they should have done more investigation, which would have made it clear that they were looking at one page out of a quarter million... at which point they should have either told MySpace to contact the host, or done it themselves.

Even if, after all these steps, GoDaddy still decided to suspend the registration, they should have contacted him first: remove this page or we'll have to disable your site. Failing that, they should have told him why it was being suspended (beyond the vague reference to TOS abuse) and how he could resolve it.

Disabling the entire site with (apparently) minimal investigation is overreaction, plain and simple. That quote from Jones, where they refused to rule out taking down an entire news site to block access to one story -- or even one comment -- is telling.

Case by case basis

[popo]

In other words, "We have no backbone. We obey power. You have none. MySpace does. Any questions?"

Myspace is the new AOL

[brennanw]

In the linked article Fyodor calls MySpace the "new AOL." I can see it. It certainly seems to encourage people to throw all caution to the wind.

As to what MySpace did, I'm honestly surprised how incredibly angry that makes me. I thought I was jaded by the petulance of businesses at this point. And Godaddy's response -- geez. I don't understand how a business can take your money and then refuse to talk to you.

Well, no -- I understand how they can do it. I understand it perfectly well. They do it because they figure they can get away with it, because even if they piss off one customer, how are the rest ever going to find out? Or care?

domain registrar neutrality

[Anonymous Coward]

Domain registrars should remain neutral in content disputes. Quis custodies ipsos custodes?

Legal Implications?

[popo]

IANAL but wouldn't the site owner have some serious legal ammunition against both MySpace and GoDaddy?

This seems to me to be an issue for the courts, not an IT department.

Re:Overkill

[DBCubix]

Let's post some usernames and passwords on MySpace and ask for their domain to be taken down. It only sounds fair.

Re:Overkill

[SatanicPuppy]

Why would they bother when they know GoDaddy will cave in a second? Send an email to a guy who runs a security site, and he'll tell you where to shove it...Not like he didn't know that MySpace would object to that information being public!

Unless your web hosting company is willing to go to bat for you, you'll never, ever, hear from a company like MySpace before your site is taken off line.

Overkill is an understatement

[A beautiful mind]

It should be downright bloody illegal to do what Godaddy did. Or if not illegal, it should have serious repecussions for them as a registrar up to the point of dropping their registrar status.

Besides, Myspace's effort was entirely useless. Those usernames/passwords were already compromised, Fjodor's site was just one that had it from the many places it can be found. The sensible thing would have been a forced password reset for the users involved not trying to coerce a registrar.

My position is that unless a legal, court ordered action is forced on the registrar, it should be forbidden to drop anything. And in the case there is content that shouldn't be public on the site, that is a _hosting_ issue not a domain issue. Go bugger the hosting company with legal documents.

Re:What's the problem?

[Zontar_Thing_From_Ve]

...asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords...

Sounds reasonable to me.

And me too, but we seem to have the minority opinion here. I love reading the justifications on why this is "evil" of GoDaddy to do this. Then again, what do you expect from Slashdot readers? Last week everyone was up in arms because the RIAA and a SWAT team arrested a guy for "making mix tapes" when in fact he was a bootlegger with over EIGHTY THOUSAND bootleg CDs that got confiscated and it had nothing to do with mix tapes.

Re:Overkill

[moranar]

What if they were califlowers? Or Polonium 290? Or Nigerian scam letters? What's that got to do with this situation? Even if they were credit card numbers and data, they're already on the wild and phished, the person who posted them on the seclists forum has the data anyway. Nuking domains isn't the solution to that problem.

I see a giant drop in revenue for GoDaddy

[CharlieHedlin]

I see a lot of slashdot readers pulling their domains to another registrar. I don't know if any are better, but at least there have to be some that haven't already taken these draconian messures.

I have a few domains up for renewal, and was considering GoDaddy. Not any more. I am sure slashot readers must control the registration of several million domains.

I hope this publicity shows as a giant drop on their revenue graph.

Re:Overkill

[Bill_the_Engineer]

I would take both actions... Firing incompetent security personel and closing down a website is not mutually exclusive.

Re:Case-by-case basis...

[nmb3000]

The problem is that whatever the cause, this was bad for GoDaddy's PR, and Slashdot users should let them know.

I'd suggest that everyone here who is disgusted with this action, especially those who have domains registered with GoDaddy, email GoDaddy public relations [mailto] and/or email their domain registration support [godaddy.com].

Just as an example, here is what I sent:

Regarding the recent action GoDaddy took against Seclists.org, I want to know just *why* I should keep my domains at GoDaddy, and not transfer to somebody who shows some respect for their customers.

I find it disgraceful that GoDaddy would bend over when somebody like MySpace pushes a little. How can I now know that my domains are safe from being shut down on a whim? By not following any meaningful procedure to resolve the conflict, you have caused myself and many others to loose any faith we had with you as a registrar.

When my domains expire in a few months, I will be transferring them to another registrar unless GoDaddy publicly apologizes to Fyodor Vaskovich, the owner of Seclists.org. In addition, he should also receive some compensation for his trouble, such as a free three-year renewal for all his domains.

See http://it.slashdot.org/article.pl?sid=07/01/26/154 2218 [slashdot.org] for more information and more customer responses.

Maybe if they get hit hard enough, somebody over there--maybe even ol' Bobby Parsons (does anyone know his email address?)--will figure out that companies can't pull this kind of crap anymore without repercussions.

Re:Overkill

[operagost]

1) Contact the site maintainer and convince them them to take the page down. Keep in mind that the website owner obviously didn't care about the sensitivity of the information, otherwise the page(s) would have never been made public.

The site maintainer didn't post the content, one of the users did. The webmaster may not have even been aware of the content. In the era of Web 2.0, draconian action such as that taken by MySpace and GoDaddy will result in chaos.

Question is...

[C_Kode]

How exactly do you as the hosting provider handle such a thing? I believe GoDaddy did the right thing to a point. They should have taken it down immediately, but should have tried to contact Fyodor immediately also. What you have to remember is it was listing user names and passwords of 250,000 MySpace users. I'm not a fan of MySpace or GoDaddy, but they did the right thing no matter how you feel about it. What if someone posted your account information (banking, email, FTP, unix, , SS#, etc) along with 250,000 other peoples on Google's home page along with any other prevalent information. Would you prefer your information be displayed for hours if the hosting provider could not get a hold of Google for the next seven hours, or shut it down immediately to stop the flow of that information and would (or *should*) get Google's attention quickly.

I don't know how much of an effort they made to contact Fyodor, but I don't think taking down that information was wrong.

Re:Probably reasonable

[TubeSteak]

if they will not provide explanation, I'll pull out too and will help spread the word. Just wouldn't be able trust them.

I thought it was rather obvious why GoDaddy dicked over SecList: MySpace is a big player on the internets & they get special treatement.

Serious question: What explanation from GoDaddy would satisfy you (or other /.ers), such that you continue giving them your business and would trust them? I would have thought the facts speak for themselves.

Re:What's the problem?

[remmelt]

The point is that Myspace, a large corp, asked Godaddy, another large corp, for the removal of a domain. The domain pointed to an ISP that hosted a site that had some passwords that are all over the internet. I am not saying Fyodor had a right to post those passwords (IANALetc but this sounds like a case of yelling fire in the cinema to me) but he didn't even have a chance to do anything about it. This all happened over his head, he wasn't notified. Myspace had no court order. Godaddy didn't have a legal or moral leg to stand on. Plus, the domain name itself has nothing to do with the content, which is hosted at the ISP, which is NOT Godaddy (AFAIK), so why didn't Myspace take it up with them? Or, omg, with Fyodor? The point is not that he shouldn't be punished (or not, it's for the court to decide) but that he was convicted and executed without so much as being told what for.
That's why Godaddy is "evil": they don't want what's best for its customers (Fyodor in this case), they want what's safest for them. The land of the brave (and the free, but that's another post) it is not.

Also: can you supply a URL for that bootleg story? I'd like to check it out.

Re:Overkill

[Kelson]

No, I interpreted it the same way you did: They reserved the right to take the same action again.

Re:Unconscionable

[Lord Ender]

7. With a Passion: The way I hate your writing style.

joker.com or any non-us registrar.

[Zurk]

people -- if you dont like the DMCA or U.S registrars instead of whining about it simply switch to joker.com (it switzerland) or ghandi (in france) or any of the non-U.S. based registrars out there. They will take your credit cards and a currency coversion is handled automatically. if you dont like it -- SWITCH. vote with your wallet. eventually U.S. based registrars WILL GET IT. SALES depts will kick their asses until they do.

I worked for a large registrar

[guruevi]

I got those questions too from large and smaller sites, first line didn't know what to do. My response to those things:

Dear,

Please contact the owner of the domain for such matters. If you have any problems finding this, the information can be queried through the whois database. We do not comply with any request for take down unless signed by a judge in our LOCAL district court (the exact information for such procedures can be found in our legal notices on our website).

If you have any further questions, please contact your legal counsel or a legal counsel in our district to proceed.

Sincerely,

MyName

Usually I didn't get any further communication on this. We had a few times the police come in to 'take down' the server. We denied access to our datacenters and told them to take a hike. We also had a few times the police (detectives) to get an 'IP address' for a website (they heard you needed that somehow). We just wrote it down on a piece of paper and gave it to them, they must have thought it was like a package or device they were going to get to disable a site because they asked: What is that? An IP address. Is that it? Yes. Is the site down then? No. But we want it down! No, sorry, gotta get a court order AND a search warrant for our premises AND a search warrant for our clients premises (since the server is their premises).

Re:HERE IS A LINK FROM GOOGLE : FULL LIST

[bill_mcgonigle]

oh I see, they are corporate and fydor is the little guy, I forgot!!!

Hey, it's not like a corporation in modern America has all of the rights of a citizen, is incredibly wealthy, is immortal, can't be jailed, has an infinite amount of man-hours, and can only be prosecuted monetarily. Oh, wait.

I can't believe nobody is ranting about Rupert Murdoch here yet.

Re:GoDaddy Response

[spitefulcrow]

An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. In an ideal world, parents would keep tabs on their children's Internet usage and educate them on how to avoid being taken advantage of or hurt. I find it shameful that parents choose to blame others (like ISPs) for the consequences of their neglect. "Think of the children" is the pitiful argument used by people without other valid arguments for placing restrictions on the free flow of information. I don't have any domains hosted by GoDaddy, but you can be sure that you have lost another potential customer.

Re:GoDaddy Response

[MooUK]

The last few sentences of this post can be summarised in a much clearer fashion:

"Think of the children!"

Re:GoDaddy Response

[Fulcrum of Evil]

As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. I

That's not your damn job! You are a registrar. If you take it upon yourself to police the contents of the sites in your registry, what happens when you get sud for failing to do so? Go do your job and stop trying to police things that are none of your business.

There is no question...

[_.- thimk! -._]

Certainly, it was wrong.

GoDaddy did nothing right in this.

Specifically:

1. there was no proper procedure behind the request from MySpace to begin with -- they simply asked an entire domain be taken down -- without having any right to do so -- and GoDaddy complied.
2. GoDaddy did NO review, to determine if there was an actual problem with content.
3. GoDaddy didn't 'take down the problematic content' they took down the entire site.
4. since no legal process was followed (which would have had at least some level of fact-finding), and GoDaddy did no fact-finding review of its own, there has been nothing to establish that posting the content would be 'illegal', even if it doesn't happen to be a 'good thing'.

To clarify: even in the event there possibly did turn out to be an actual, legitimate, legal basis for the complaint, no process was followed to actually attempt to asses what that might be, nor to determine what a proper response -- other than taking down the entire domain -- might have actually been.

This, in the simplest of terms, is entirely a case of thoughtless censorship without even the most basic attempt at fact-finding.

How should they have handled it?

They should have:

1. indicated that they are:
   • a domain registrar,
   • (only if actually also the hosting provider to the specific site, that they are) the hosting provider, not the content provider, and as such that
   • that they themselves do no review whatsoever of any content posted (on sites they do host) by any of their customers. (Perfoming content review makes them liable for content posted. Remaining a neutral content provider does provide them some level of legal protection. -- note IANAL, but do have some experience in this area. If there is a lawyer that would like to address this, please do feel free to enlighten us.)
2. directed the MySpace representative to contact the Administrative Contact for the site.
3. contacted the site Administrative Contact to give them notice of the complaint lodged by MySpace to allow the person(s) responsible for the site content to review the content and decide for themselves about appropriate actions to either voluntarily remove the content, or to deal with MySpace directly (providing an explanation to MySpace why they felt there was no need to remove the content).

This should have been the end of GoDaddy's involvement.

In the event the site's Responsible Party and MySpace did not come to an understanding, and they were again approached by MySpace, GoDaddy should then have:

if they were only the registrar, and not the hosting provider:

1. directed MySpace to take legal action against the site, as they are only the registrar.

if they were also the hosting provider, they should then have:

1. asked for the legal basis for MySpace request that GoDaddy take action if they did not receive satisfaction from the site Responsible Party, including the details of the basis for the scope of the request to shut down a domain, rather than review the specific material in question.
2. asked that the specific potentially problematic material in question be explicitly cited, in order that they could conduct a review of the content in question.
3. performed a review of the explicitly cited material to determine whether the claim from MySpace appeared to have any merit.
   
   Only in the event that GoDaddy's preliminary review did lead them to believe the claim was founded, they should have either (in general, so bear with me):
   
   if the material fell under DMCA,
4. asked that MySpace provide proper notice of a DMCA violation to the site Administrative Contact (again returning the issue to the proper responsible party).
   
   or, if not covered by DMCA,
5. asked that MySpace seek legal recourse against the party(ies) responsible for site c

Re:GoDaddy Response

[Anonymous Coward]

"Go Daddy is committed to keeping the Internet a safe place".

As a customer of various domain registrars I would like to point out that a registrar has a fiduciary duty to its customers to provide service. Go Daddy does not have a legal or fiduciary duty to "protect" children who have MySpace accounts. I am at least one parent who does not want some vague notion of my child's safety used to justify censorship. I've spoken with my son (yes, he has a MySpace account), and he agrees.

Mr. Butler, I recommend that you start reciting the phrase "the customer is always right" until it sinks in.

Re: The "Preventing Child Exploitation" Exuse

[some guy I know]

An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it.

When someone uses the "Won't somebody think of the children?" argument to justify his/her actions, check your freedom wallet; some of your rights may be missing.
It's time that those in power, whether governments or large corporations, stopped using this argument (along with the "If we don't curtail some of your rights, the terrorists have already won.") to justify their abuses.

Re:GoDaddy Response

[laughingcoyote]

Please allow me to put this in a few words:

This is not your place.

It is the job of the police and courts to enforce the law, not you. It is the job of parents to protect their children, not you. You are a registrar. Your job is to ensure that your customers' sites are accessible. Your job is not to judge that site's content. If someone thinks the site should be shut down, that person or organization can go get a proper court order. Until that time, you and your company are out of line in even considering a request to take down a site unilaterally.

I have several domain name registrations coming up. I can assure you, those registrations will not be with your company, absent a public apology and an assurance that this will never happen again except upon a valid court order, and I will ensure that everyone I know who may register a domain is made well aware of this incident. Unless your position is quickly reversed, you stand to lose quite a bit of business.

Re:GoDaddy Response

[mindwhip]

Two scenarios instantly spring to mind here on why this is Bad...

Scenario 1: MySpace has a grudge against a site (possibly a competitor or some site that gives a bad review). To get the site pulled all they have to do is post a list of (possibly fake) user/pass pairs on the site that has upset them and complain....

Scenario 2: A third party that has a grudge against a site (such as a hacker against a security site that has killed a botnet or something) posts a list of (again possibly fake) user/pass pairs and reports it to MySpace.

Either case would result in you pulling a site that is innocent of any wrongdoing, and which could be down for days or weeks if your customer is away on business or on holiday.

What mySpace *should* have done is blocked the usernames and passwords from continued access, have the leaked passwords reset by the account owners and contacted/dealt with the offending site by other (slower and less drastic) means. They could have gone one step further and logged who tried to access those accounts and go after anyone trying to use the password list. Even if the list was only up for a few seconds the information is already in the wild and potently now in the hands of many, many undesirables. "Shutting the door after the horse has bolted" springs to mind.

Re:GoDaddy Response

[Decius6i5]

As a GoDaddy customer who hosts an open discussion site on a domain that is registered with GoDaddy, I am troubled by the mishandling of this incident. Frankly, I look at this as a substantial risk to the stability of my website, and I am now contemplating a transition to a new registrar.

I'm assuming that this account and response were actually posted by GoDaddy. If so, I'm glad you've decided to address this matter, but unforunately, you haven't gone far enough. Your handling of the matter was irresponsible, and this post glosses over serious problems with your process. You need to address these problems directly if you expect people to rely on you for registrar services. For example:

In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time.

This is not an honest representation of what occurred. The voicemail your abuse department left has been made public. [wired.com] You called the customer to inform him that the domain had already been scheduled for deactivation. You did not provide an explanation and you did not provide any telephone contact information.

Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour.

The fact is that you did not leave a telephone number where your abuse department could be reached. According to the customer you did not respond to emails that were sent to the abuse department, your technical support group would not forward calls to the abuse department, and the customer was informed that he would receive a response in one to two business days.

This characterization that you did everything you could to contact the customer and when you finally did you got the site back up immediately is totally dishonest. The facts are that you knew that this website was a large community site and that the operators had not directly posted the content you were seeking to block access to, but you disconnected the domain without making prior contact with the customer, and you made it as hard as you possibly could for the customer to contact you after the fact to resolve the matter.

This is not a responsible way to handle incidents like this, and you cannot justify it. Furthermore, spinning it makes matters even worse, as it means that we can expect similar problems to be dealt with in a similar way in the future. That means that GoDaddy cannot be relied upon as a DNS registrar for serious Internet resources that need stable DNS services, particularly if they are open or community based sites that allow third parties to post content.

I would caution you against underestimating the influence that technical communities like Slashdot AND Seclists.org have over the purchasing decisions made by people deploying Internet systems and networks. If you do not take a serious critical look at your processes and respond to your customers in a way that assures us that incidents like this will not happen again it will have a serious negative impact on your business.