MySpace and GoDaddy Shut Down Security Site 344
Several readers wrote in with a CNET report that raises novel free-speech questions. MySpace asked GoDaddy to pull the plug on Seclists.org, a site run by Fyodor Vaskovich, the father of nmap. The site hosts a quarter million pages of mailing-list archives and the like. MySpace did not obtain a court order or, apparently, compose a DMCA takedown notice: it simply asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords, and GoDaddy complied. Fyodor says the takedown happened without prior notice. The site was unavailable for about seven hours until he found out what was happening and removed the offending posting. The CNET article concludes: "When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'"
Case-by-case basis... (Score:5, Insightful)
Overkill (Score:5, Insightful)
Let's see... one page out of 250,000 on a site turns out to have content that could compromise security at another site. So MySpace contacts the registrar, and gets the entire site shut down?
That's like using a hand grenade to swat a fly.
The logical way to go about this is as follows:
Myspace should not have even contacted GoDaddy until they took the first two steps. And once GoDaddy was contacted, they should have done more investigation, which would have made it clear that they were looking at one page out of a quarter million... at which point they should have either told MySpace to contact the host, or done it themselves.
Even if, after all these steps, GoDaddy still decided to suspend the registration, they should have contacted him first: remove this page or we'll have to disable your site. Failing that, they should have told him why it was being suspended (beyond the vague reference to TOS abuse) and how he could resolve it.
Disabling the entire site with (apparently) minimal investigation is overreaction, plain and simple. That quote from Jones, where they refused to rule out taking down an entire news site to block access to one story -- or even one comment -- is telling.
Case by case basis (Score:5, Insightful)
In other words, "We have no backbone. We obey power. You have none. MySpace does. Any questions?"
Myspace is the new AOL (Score:5, Insightful)
As to what MySpace did, I'm honestly surprised how incredibly angry that makes me. I thought I was jaded by the petulance of businesses at this point. And Godaddy's response -- geez. I don't understand how a business can take your money and then refuse to talk to you.
Well, no -- I understand how they can do it. I understand it perfectly well. They do it because they figure they can get away with it, because even if they piss off one customer, how are the rest ever going to find out? Or care?
domain registrar neutrality (Score:4, Insightful)
Legal Implications? (Score:3, Insightful)
This seems to me to be an issue for the courts, not an IT department.
Re:Overkill (Score:5, Insightful)
Re:Overkill (Score:3, Insightful)
Unless your web hosting company is willing to go to bat for you, you'll never, ever, hear from a company like MySpace before your site is taken off line.
Overkill is an understatement (Score:5, Insightful)
Besides, Myspace's effort was entirely useless. Those usernames/passwords were already compromised, Fjodor's site was just one that had it from the many places it can be found. The sensible thing would have been a forced password reset for the users involved not trying to coerce a registrar.
My position is that unless a legal, court ordered action is forced on the registrar, it should be forbidden to drop anything. And in the case there is content that shouldn't be public on the site, that is a _hosting_ issue not a domain issue. Go bugger the hosting company with legal documents.
Re:What's the problem? (Score:3, Insightful)
Sounds reasonable to me.
And me too, but we seem to have the minority opinion here. I love reading the justifications on why this is "evil" of GoDaddy to do this. Then again, what do you expect from Slashdot readers? Last week everyone was up in arms because the RIAA and a SWAT team arrested a guy for "making mix tapes" when in fact he was a bootlegger with over EIGHTY THOUSAND bootleg CDs that got confiscated and it had nothing to do with mix tapes.
Re:Overkill (Score:3, Insightful)
What if they were califlowers? Or Polonium 290? Or Nigerian scam letters? What's that got to do with this situation? Even if they were credit card numbers and data, they're already on the wild and phished, the person who posted them on the seclists forum has the data anyway. Nuking domains isn't the solution to that problem.
I see a giant drop in revenue for GoDaddy (Score:5, Insightful)
I have a few domains up for renewal, and was considering GoDaddy. Not any more. I am sure slashot readers must control the registration of several million domains.
I hope this publicity shows as a giant drop on their revenue graph.
Re:Overkill (Score:2, Insightful)
Re:Case-by-case basis... (Score:5, Insightful)
I'd suggest that everyone here who is disgusted with this action, especially those who have domains registered with GoDaddy, email GoDaddy public relations [mailto] and/or email their domain registration support [godaddy.com].
Just as an example, here is what I sent: Maybe if they get hit hard enough, somebody over there--maybe even ol' Bobby Parsons (does anyone know his email address?)--will figure out that companies can't pull this kind of crap anymore without repercussions.
Re:Overkill (Score:2, Insightful)
Question is... (Score:1, Insightful)
I don't know how much of an effort they made to contact Fyodor, but I don't think taking down that information was wrong.
Re:Probably reasonable (Score:3, Insightful)
Serious question: What explanation from GoDaddy would satisfy you (or other
Re:What's the problem? (Score:3, Insightful)
That's why Godaddy is "evil": they don't want what's best for its customers (Fyodor in this case), they want what's safest for them. The land of the brave (and the free, but that's another post) it is not.
Also: can you supply a URL for that bootleg story? I'd like to check it out.
Re:Overkill (Score:3, Insightful)
Re:Unconscionable (Score:3, Insightful)
7. With a Passion: The way I hate your writing style.
joker.com or any non-us registrar. (Score:5, Insightful)
I worked for a large registrar (Score:3, Insightful)
Dear,
Please contact the owner of the domain for such matters. If you have any problems finding this, the information can be queried through the whois database. We do not comply with any request for take down unless signed by a judge in our LOCAL district court (the exact information for such procedures can be found in our legal notices on our website).
If you have any further questions, please contact your legal counsel or a legal counsel in our district to proceed.
Sincerely,
MyName
Usually I didn't get any further communication on this. We had a few times the police come in to 'take down' the server. We denied access to our datacenters and told them to take a hike. We also had a few times the police (detectives) to get an 'IP address' for a website (they heard you needed that somehow). We just wrote it down on a piece of paper and gave it to them, they must have thought it was like a package or device they were going to get to disable a site because they asked: What is that? An IP address. Is that it? Yes. Is the site down then? No. But we want it down! No, sorry, gotta get a court order AND a search warrant for our premises AND a search warrant for our clients premises (since the server is their premises).
Re:HERE IS A LINK FROM GOOGLE : FULL LIST (Score:3, Insightful)
Hey, it's not like a corporation in modern America has all of the rights of a citizen, is incredibly wealthy, is immortal, can't be jailed, has an infinite amount of man-hours, and can only be prosecuted monetarily. Oh, wait.
I can't believe nobody is ranting about Rupert Murdoch here yet.
Re:GoDaddy Response (Score:4, Insightful)
Re:GoDaddy Response (Score:5, Insightful)
"Think of the children!"
Re:GoDaddy Response (Score:5, Insightful)
As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. I
That's not your damn job! You are a registrar. If you take it upon yourself to police the contents of the sites in your registry, what happens when you get sud for failing to do so? Go do your job and stop trying to police things that are none of your business.
There is no question... (Score:2, Insightful)
Certainly, it was wrong.
GoDaddy did nothing right in this.
Specifically:
To clarify: even in the event there possibly did turn out to be an actual, legitimate, legal basis for the complaint, no process was followed to actually attempt to asses what that might be, nor to determine what a proper response -- other than taking down the entire domain -- might have actually been.
This, in the simplest of terms, is entirely a case of thoughtless censorship without even the most basic attempt at fact-finding.
How should they have handled it?
They should have:
This should have been the end of GoDaddy's involvement.
In the event the site's Responsible Party and MySpace did not come to an understanding, and they were again approached by MySpace, GoDaddy should then have:
if they were only the registrar, and not the hosting provider:
if they were also the hosting provider, they should then have:
Only in the event that GoDaddy's preliminary review did lead them to believe the claim was founded, they should have either (in general, so bear with me):
if the material fell under DMCA,
or, if not covered by DMCA,
Re:GoDaddy Response (Score:1, Insightful)
As a customer of various domain registrars I would like to point out that a registrar has a fiduciary duty to its customers to provide service. Go Daddy does not have a legal or fiduciary duty to "protect" children who have MySpace accounts. I am at least one parent who does not want some vague notion of my child's safety used to justify censorship. I've spoken with my son (yes, he has a MySpace account), and he agrees.
Mr. Butler, I recommend that you start reciting the phrase "the customer is always right" until it sinks in.
Re: The "Preventing Child Exploitation" Exuse (Score:3, Insightful)
It's time that those in power, whether governments or large corporations, stopped using this argument (along with the "If we don't curtail some of your rights, the terrorists have already won.") to justify their abuses.
Re:GoDaddy Response (Score:4, Insightful)
Please allow me to put this in a few words:
This is not your place.
It is the job of the police and courts to enforce the law, not you. It is the job of parents to protect their children, not you. You are a registrar. Your job is to ensure that your customers' sites are accessible. Your job is not to judge that site's content. If someone thinks the site should be shut down, that person or organization can go get a proper court order. Until that time, you and your company are out of line in even considering a request to take down a site unilaterally.
I have several domain name registrations coming up. I can assure you, those registrations will not be with your company, absent a public apology and an assurance that this will never happen again except upon a valid court order, and I will ensure that everyone I know who may register a domain is made well aware of this incident. Unless your position is quickly reversed, you stand to lose quite a bit of business.
Re:GoDaddy Response (Score:2, Insightful)
Scenario 1: MySpace has a grudge against a site (possibly a competitor or some site that gives a bad review). To get the site pulled all they have to do is post a list of (possibly fake) user/pass pairs on the site that has upset them and complain....
Scenario 2: A third party that has a grudge against a site (such as a hacker against a security site that has killed a botnet or something) posts a list of (again possibly fake) user/pass pairs and reports it to MySpace.
Either case would result in you pulling a site that is innocent of any wrongdoing, and which could be down for days or weeks if your customer is away on business or on holiday.
What mySpace *should* have done is blocked the usernames and passwords from continued access, have the leaked passwords reset by the account owners and contacted/dealt with the offending site by other (slower and less drastic) means. They could have gone one step further and logged who tried to access those accounts and go after anyone trying to use the password list. Even if the list was only up for a few seconds the information is already in the wild and potently now in the hands of many, many undesirables. "Shutting the door after the horse has bolted" springs to mind.
Re:GoDaddy Response (Score:3, Insightful)
I'm assuming that this account and response were actually posted by GoDaddy. If so, I'm glad you've decided to address this matter, but unforunately, you haven't gone far enough. Your handling of the matter was irresponsible, and this post glosses over serious problems with your process. You need to address these problems directly if you expect people to rely on you for registrar services. For example:
This characterization that you did everything you could to contact the customer and when you finally did you got the site back up immediately is totally dishonest. The facts are that you knew that this website was a large community site and that the operators had not directly posted the content you were seeking to block access to, but you disconnected the domain without making prior contact with the customer, and you made it as hard as you possibly could for the customer to contact you after the fact to resolve the matter.
This is not a responsible way to handle incidents like this, and you cannot justify it. Furthermore, spinning it makes matters even worse, as it means that we can expect similar problems to be dealt with in a similar way in the future. That means that GoDaddy cannot be relied upon as a DNS registrar for serious Internet resources that need stable DNS services, particularly if they are open or community based sites that allow third parties to post content.
I would caution you against underestimating the influence that technical communities like Slashdot AND Seclists.org have over the purchasing decisions made by people deploying Internet systems and networks. If you do not take a serious critical look at your processes and respond to your customers in a way that assures us that incidents like this will not happen again it will have a serious negative impact on your business.