MySpace and GoDaddy Shut Down Security Site

Several readers wrote in with a CNET report that raises novel free-speech questions. MySpace asked GoDaddy to pull the plug on Seclists.org, a site run by Fyodor Vaskovich, the father of nmap. The site hosts a quarter million pages of mailing-list archives and the like. MySpace did not obtain a court order or, apparently, compose a DMCA takedown notice: it simply asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords, and GoDaddy complied. Fyodor says the takedown happened without prior notice. The site was unavailable for about seven hours until he found out what was happening and removed the offending posting. The CNET article concludes: "When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'"

GoDaddy probably complied...

[mhazen]

....because Rupert Murdoch would have just bought them and fired the people who questioned whether NewsCorp has the right to restrict freedom of information.

And, by the way, I hope GoDaddy's reading this. I'm moving my domains away from you because of your lackadaisical approach to our constitutional rights.

So a TLD registrar can shut down queries if he

[Anonymous Coward]

does not agree with my content?

It's time for some contract review...

How timely

[drinkypoo]

I'm about to move my website from one host to another because my current shared hosting company (Netactuate, formerly VR Hosted) is falling down on their ass. I haven't even been able to load my cpanel this morning, and I tried two different connections - but their front page loads in a snap. I only jumped on them because of the gentoo hosting special but lunarpages is 2/3 the price of the discounted rate... I get 5GB and lunar gives 250GB, I get 200GB of transfer or something like that (I can't even load the cpanel to see what my quota is) and lunarpages gives 2.5 TB. I'll miss the shell access, but I can live without. Anyway, the moral of this story is that I think I'll take advantage of this moment to transfer my domain registration from godaddy to another registrar. Anyone have any recommendations?

Big surprise.

[SatanicPuppy]

You get what you pay for with GoDaddy. I certainly wouldn't expect them to take my side in a dispute with MySpace, News Corp, or, frankly, anyone with a significant number of lawyers on their side.

Providers, by and large, will cave to any request from a big company...Hell there was an article about it here a few days ago, that linked the BoF Experiment [www.bof.nl] where they posted a public domain work on 10 different places, and then sent DMCA takedown notices to all 10 places, and had 7 remove it immediately even though it was clearly marked as public domain.

Face it; a hosting site that will stick up for it's customers against a significant threat from a big company is hard as hell to find, and sure as hell GoDaddy isn't going to do it for 10 bucks a month.

Why where the passwords posted

[cyberkahn]

"remove a site that happened to archive a list of thousands of MySpace usernames and passwords"
Why where these posted on the site? Was this part of disclosure regarding a security issue that MySpace wasn't willing to address?

Re:Case-by-case basis...

[namityadav]

Interestingly enough, the action would turn out to be good for http://www.seclists.org/ [seclists.org] too as thousands of people are going to check that website after reading this story on Slashdot (I know I did).

The other side is a very slippery slope as well

[frantzen]

For instance if the propogation of a large scale worm depended on the a server at www.example.com. There are two effective ways to stop the worm in it's tracks. One is to shut down the server at www.example.com. And the other is to pull the domain record. In such a situation most of us would advocate yanking both. I can't say that a registrar should never take action like this without a court order. But I don't believe this instance was jusitified.

Re:Myspace is the new AOL

[walt-sjc]

The ultimate blame in this case falls on GoDaddy for pulling the trigger. They should have told myspace "not our problem and you don't have the authority to ask for this action andyway. Get a court order."

I have a few domains registered with godaddy at the moment. In about an hour, they no longer will be, with a letter to their CEO (US Mail) saying why.

GoDaddy is now known as GoAwayDaddy in my book.

Unconscionable

[gellenburg]

1. Unconscionable: How I feel about this whole matter. Completely unconscionable that GoDaddy could or WOULD do anything like this.

2. 142: The number of domains I have registered with GoDaddy.

3. $1500: Roughly the annual amount I pay for my domains to renew them each year.

4. 48: The number of hours I have allotted myself this weekend to transfer each and every one of them AWAY from GoDaddy to someplace like NameCheap.com or DomainMonitor. Haven't decided yet.

5. True: Boolean value for whether or not I am pissed-off.

6. Very Much: The level of item 5, above's, value.

Probably reasonable

[S3D]

I have only 2 domains with GoDaddy, but if they will not provide explanation, I'll pull out too and will help spread the word. Just wouldn't be able trust them. What if they transfer ownership of my domain if someone ask them ? What if they charge my credit card for some insane amount of money just because they feel like it?

Was looking for a registrar....

[mbstone]

I was looking at GoDaddy's page last night and was considering doing business with them. Then I came across this story: GoDaddy, the domain registrar (not the webhost) pulls someone's domain registration (not the website) without notice, process, or warning to the customer just because some large company requested it. The real-life equivalent would be the sheriff coming and evicting you from your home because someone made a noise complaint.

HERE IS A LINK FROM GOOGLE : FULL LIST

[Anonymous Coward]

http://archives.neohapsis.com/archives/fulldisclos ure/2007-01/0282.html [neohapsis.com]

now please shut down google?

oh I see, they are corporate and fydor is the little guy, I forgot!!!

Re:Big surprise.

[ulmanms]

I'm not defending what godaddy did, or the DMCA.

But the BoF Experiment is based on European law (after a quick read, maybe I'm wrong) and that's flawed because the DMCA is different.

The DMCA assumes guilt and you're afforded the safe harbor if you immediately remove the potentially offending content pending review.

After you take down the content, THEN everyone debates whether or not it's really offending.

Not cool, but it's the law and there's no way a company's going to take that risk.

Re:Overkill is an understatement

[nickcoons]

Besides, Myspace's effort was entirely useless. Those usernames/passwords were already compromised, Fjodor's site was just one that had it from the many places it can be found.

That's true. Depending on how long it was there, it may have been crawled by Google and could be included in their next search index. If that happens, will Google be taken down for several hours as a result of such an email from MySpace? My guess is, probably not...

Re:Overkill is an understatement

[Hes Nikke]

Or if not illegal, it should have serious repecussions for them as a registrar up to the point of dropping their registrar status.

serious repecussions[sic]: I along with every other slashdotter who RTFS [S=summary] will no longer be using GoDaddy. personally, i'm going to transfer my domains to some other host as soon as i can afford to do it.

And in the case there is content that shouldn't be public on the site, that is a _hosting_ issue not a domain issue.

GoDaddy does hosting as well... are you sure that GD wasn't the host? i don't know either way, i haven't RTFA'd - i'm still knee jerking :P

bulletin i just posted to myspace:

http://it.slashdot.org/article.pl?sid=07/01/26/154 2218&threshold=1 [slashdot.org]

myspace has just flexed it's muscle to get a website with over 250,000 useful articles knocked off the internet because one article happened to contain user names and passwords. what did they do? rather than doing the right thing and asking Seclists.org to remove the ONE offending article, they went to godaddy and had the entire site pulled.

as a show of disgust over this and many other actions that myspace has displayed, i am going to delete my account on 1/29/2007, and configure my computer to never let me access myspace again. i suggest that you do the same. contact me (nate [at] gotnate.com) if you need help blocking your own access to myspace. :)

as an alternative, i recommend facebook.com. here's my profile: http://www.facebook.com/profile.php?id=516019381 [facebook.com]

note: gotnate.com is currently hosted with godaddy. i will be taking similar actions with them as well.

Re:Overkill

[sorak]

Disabling the entire site with (apparently) minimal investigation is overreaction, plain and simple. That quote from Jones, where they refused to rule out taking down an entire news site to block access to one story -- or even one comment -- is telling.

Wow, you interpretted that quote completely different from most of us. (I assume) that most of us interpretted it as "We reserve the right to screw our customers, as long as screwing that particular customer is the most convenient course of action for us"

Re:How timely

[TheLink]

There are registrars outside US jurisdiction e.g www.gandi.net and joker.com.

While this means you should be careful on the terms and conditions and check their track records (so far I've used gandi before and they seem ok, I don't know much about joker), it means companies in other countries will have to work a bit harder to take down your domain.

Of course, if you use Gandi and do something that annoyed the French Gov, they might be able to force Gandi to pull your domain.

Re:Overkill is an understatement

[neoform]

GoDaddy's been doing this for a long time. They suspended one of my business domains based on a single complaint by some random guy, then charged me $200 to allow me to transfer the domain to another registrar. Extortion? Yeah. Against ICANNs rules? Yeah. Do they get away with it? Yeah.

Then again, i called mastercard and told them i didn't authorize that charge, so they didn't get that $200 from me.

Re:Question is...

[C_Kode]

In this case, why couldn't Myspace send Fyodor a letter asking for the content to be removed? Why didn't GoDaddy ask Myspace that question?

I don't think sending a letter to Fyodor was the answer. They had 250,000 compromised accounts. It wasn't the time to fire off a letter and sit and wait to see what happens. If you had a company and 250,000 accounts were compromised, I hope you would have been as assertive. It's not just important for your customers, it's important for your business as a whole.

Remember, Fyodor had done nothing wrong.

I don't recall anyone saying Fyodor did anything wrong. All I remember is a lot of people saying it was wrong to try and block propagation of private customer information. Which is why I brought up SS#, credit card information, etc. It's private information that isn't supposed to be on public display. It's not an issue with people until it's their information that on public display.

Re:Question is...

[mrsbrisby]

I believe GoDaddy did the right thing to a point.

And that's why nobody hosts with you. GoDaddy isn't the police, nor the Law.

If someone sold you a stereo, then broke into your house and took it back, you'd call them a criminal. You wouldn't say they "did the right thing to the point", so besides the fact that GoDaddy sold virtual property, then broke into your virtual house and stole virtual property, how is this so different, it requires a completely different attitude?

Would you prefer your information be displayed for hours if the hosting provider could not get a hold of Google for the next seven hours

It's not up to me. It's not up to you either. It's up to a court of law so that rational and impartial minds find justice. Godaddy decided they were the judge and jury, and decided that they still are. I will never do business with Godaddy and I'd never do business with such a treacherous antiamerican hatemonger like yourself either.

Or to put it a way your simple little mind might grasp: My friend got his car reposessed so he couldn't get to work, so he lost his job, so he couldn't pay his rent, so he got kicked out of his house all because his bank decided that regular automatic payment that had been going on for every month for a full year suddenly looked very suspicious, and rather than pay it, or contact anyone, they decided it must be fraudulent and locked his account.

I think that Myspace could've fixed their bug, and turned their site off if Myspace had the bug. Asking Godaddy as they did was stupid and idiotic, but Godaddy actually doing it was downright criminal.

You might trust Godaddy with your house, your car, your job, and your family, but I don't.

I hope Fyodor sues Godaddy for all they're worth.

Re:Case-by-case basis...

[Rohan427]

I am currently looking to transfer my 14 domain names from GoDaddy because of this action by them. I have e-mailed them and informed them of this.

PGA www.randomlogic.com

GoDaddy Response

[godaddyabuse]

I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc Abuse@GoDaddy.com

Re:GoDaddy Response

[Walter Carver]

1. It is not your job to keep the Internet safe, your job is to keep a domain. You will be ordered to take a domain down with a court order.

2. That list of MySpace users is available at several full-disclosure lists. Taking down SecLists.org doesn't change anything.

3. Your customer has e-mail logs to prove his side of the story. Do you?

Re:Case-by-case basis...

[thedeath319]

I, like you, e-mailed them to complain about this. I got the following reply:

I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it. I don't know of any parent who wouldn't want their child's username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc

This, I guess, seems fair enough. Maybe its MySpace that are in the wrong? Surely the domain registrar should be a last resort for abuse and the website owner a first?

Re:GoDaddy Response

[mr_walrus]

the end never justifies the means.
in the name of child-abuse let us just simply suspend all rights and freedoms.

unless/until you get a properly legal document requesting a shutdown, JUST SAY NO.
and exactly what did you do to confirm the identity of whoever made the request?

how do you avoid denial-of-service attacks by the people making a take-down request
actually being the same ones who posted inappropriate things at a site?

eeeeesh.
there is no justifcation. period.

my own eight domains at godaddy will be transfered soon.

GoDaddy's Response

[C0C0C0]

I asked GoDaddy what their side of it was. This is what they sent me:

I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org.

As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action.

In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time.

In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour.

In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is.

An important issue I would ask you to consider is one that is a top priority for us at Go Daddy - child exploitation or even the potential for it.

I don't know of any parent who wouldn't want their child's username and password protected.

Ben Butler
Director of Network Abuse
The Go Daddy Group, Inc

Re:GoDaddy and the DMCA...

[dwayrynen]

The DMCA does not require providers to have a knee jerk reaction - in fact all they had to do was ask you to remove it OR respond under penalty of perjury that you disagree with the original complaint at which point you and the complainer can fight it out in court and the provider is protected because they did what they were supposed to do.

If you didn't take it down or didn't respond that you disagree with copyright status in a reasonable amount of time, then the provider would have to take you down or become liable themselves. "Reasonable" is not measured in hours.

I would not blame the DMCA in your situation.

Darin

You and Bob Parsons *work for me*, not MySpace

[BillGatesLoveChild]

I am a Godaddy customer and I'm not happy with this. Not one bit. It isn't *your* job to enforce Internet safety. It's your job to look after the domain names of your customers. Get that straight: I pay *your* salary. You and Bob Parsons work for *me and all your other customers*. I really resent the idea that some corporation can say right words to you, and shut down my web site. You're my domain shop. You are not my Priest, Lawyer or Moral Guardian. If MySpace want to shut something down, make them go to the courts and get an order like everyone else. Your behavior on this matter is abysmal. It worries me so much that if anyone here suggests a similarly priced service, I'll go there. Quite frankly, I don't trust with my domain names.

Maybe its MySpace that are in the wrong?

[egork]

In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer.

Why not let MySpace suspend all their customers accounts, that were compromised, instead?

MySpace would than have contacted their customers and let them change their passwords.
Once the passwords were published, they have to be changed anyways, haven't they?