MySpace And GoDaddy Shut Down Huge Archive Of Security Mailing Lists

from the silly-companies dept

Rich Kulawiec writes in to point out that Seclists.org, a site that archives various security-related discussion email lists (and run by Fyodor, author of nmap, and generally well-known within the security realm) was yanked offline completely yesterday thanks to a bogus complaint from MySpace to the registrar/hosting company Fyodor used, GoDaddy. It seems that MySpace was freaking out that yet another big list of MySpace usernames and passwords had leaked (and spread all over the net). So, they went into damage control mode. A few copies of the MySpace list had been mailed to one of the security mailing lists archived as Seclists, and rather than simply asking that they be removed, MySpace went straight to the hosting company to get the entire domain turned off -- which GoDaddy did without question (or giving Fyodor a chance to appeal). In other words, they shut down a huge domain full of useful information that was used by a lot of people, over one complaint on some information that is widely available all over the internet. Fyodor also notes that these types of bogus requests to hosting companies and registrars are only increasingly lately. It seems like there may be an opportunity for a registrar hosting company to advertise that they don't wilt at the first sign of legal language, and at least give their customers a chance to respond.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Chris Maresca, Jan 25th, 2007 @ 6:38pm

    Seclists.org seems fine to me...

    I don't have any trouble getting to the site....

    Chris.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Bryan Price, Jan 25th, 2007 @ 7:48pm

    That's another company

    for me to not do business with. Not that I have.

    27B Stroke 6 carries some good details.

    GoDaddy got back to me. General counsel Christine Jones defends taking down SecLists.org, saying that Fyodor had close to an hour to respond to GoDaddy's voicemail and e-mail warnings yesterday, and didn't.

    "We couldn't reach him, and because the content was hundreds and hundreds of MySpace user names and password, we went ahead and redirected the domain to remove that content," she says.



    "For something that has safety implication like that, we take it really seriously," she says. "For spammers, we give people a little bit of time to respond to us."



    Jones stands by the decision.

    "Should registrars be involved in this? I'm not sure," she says. "We're the largest domain registrar in the world, and my view is, for $8.95 its not okay for somebody to come and use our services to harm other people."

    -----

    Update

    Fyodor responds:



    Fyodor also sent in his timeline of events, supported by copy of the voicemail (.wav) from GoDaddy telling him he was scheduled for suspension, and the e-mail message telling him he'd been suspended. The difference between the two appears to be one minute, not one hour.

    I called back Jones, and she admits she doesn't know exactly how much notice he had.

    "I think the fact that we gave him notice at all was pretty generous," she said.


    That's absolutely sad and horrible. I will refuse to do any business with them.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Liam, Jan 25th, 2007 @ 7:48pm

    So can I

    Either the dns is slow like a bitch, it's back up, or it never happened?

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    wiley, Jan 25th, 2007 @ 7:53pm

    dude

    they posted usernames and passwords
    if it was for bank america they would have been arrested
    he needs to stop bitching

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jan 25th, 2007 @ 8:52pm

    Re: dude

    like, i know right, my myspace login information is like, WAAAAY TOTALLY as important as like, my bank information. like, totally.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Mike (profile), Jan 25th, 2007 @ 10:27pm

    Re: Seclists.org seems fine to me...

    I don't have any trouble getting to the site....

    He moved it to a new host.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jan 25th, 2007 @ 10:40pm

    getting worse indeed

    I work for a hosting company and we just had to hire a full-time tech/legal person dedicated to handling these kinds of complaints.

    If MySpace's complaint was anything like what we get on a regular basis then it probably threatened to sue GoDaddy if they didn't take it down. Of course, I'm pretty sure there's lots of precedent that says we're not at fault but your typical support tech at any hosting company isn't going to have the legal expertise to figure out whether or not the complaint is completely bogus and so I imagine most are trained to just comply and wait for the customer to complain. If they don't complain then the site either wasn't important or they were in the wrong and they know it. At least that's what I imagine happens.

    We laugh them off unless the complaint also violates our TOS. If they threaten legal action, we tell them to have their lawyer contact us. Most complaints just disappear with that one.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    NoverNetSBandit, Jan 26th, 2007 @ 12:19am

    hosting

    there used to be days when hosting companies didnt worry about petty shit... like days of the old credit card generators.. aol 3.0 days that were hosted thru such sites as geocities or 2600dotcom why do we all scare so easily now to threats... last i checked anyone can still post what they want to there own site. I hosting companies in the us have got to worried about who, what, when, where then they have to.
    What happened to the days of old?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Paul, Jan 26th, 2007 @ 12:43am

    Re: dude

    Sorry, I think you're missing the point: seclists.org didn't create the content, they just happened to have the site where it was posted.

    What should have happened is this: MySpace contact seclists.org, with a court order if they thought it necessary, to remove the content from the site. Then, if they wanted to sue/prosecute someone, they both work together to go after the people who made the post.

    Getting the *entire* site removed from the internet because somebody made a post is completely wrong both on the part of MySpace for contacting the host instead of the site, and on the part of GoDaddy for just blindly following the request instead of negotiating with their own customer.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Michael Vilain, Jan 26th, 2007 @ 2:20am

    It's a good thing and a bad thing

    GoDaddy is well known for being a chickenshit about any complaints. At $9/site, they aren't going to spend a lot of money in court or with lawyers dealing with any complaints, legal or otherwise. It's in their terms of service, plain and simple. For someone who uses them to host a critical domain, tuff titties. Should have gone with Network Solutions or some other registrar that doesn't care.

    On the plus side, spammers choose GoDaddy a lot. When I report spam or phishing to them from sites they're the registar, they usually take it down. No court order needed, just a LART email.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    araemo, Jan 26th, 2007 @ 5:22am

    Re: dude

    Would have been arrested? Because someone emailed a list to a mailing list that he has no control over, and automatically archives? I don't think so, I think he's got the common carrier/safe harbor exception there.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Rich Kulawiec, Jan 26th, 2007 @ 7:48am

    Re: dude

    You've missed multiple points here.

    The URL of the entire username/password list was posted to a PUBLIC
    mailing list with multiple PUBLIC archives, of which Fyodor's is only one

    At that point, the game is over. There is no point in even thinking
    about trying to suppress the information by any means. It's in the wild,
    and no posturing, threatening, or anything else will undo that.

    The only things that can be done are (a) to notify the affected users
    (b) to change their passwords -- don't wait for them to do it --
    (c) to figure out how this was done and take steps to avoid a repeat
    (d) to alert all MySpace users, since nothing guarantees that the list
    in question included *all* compromised accounts and (e) to publicly
    apologize for the problem.

    Shooting the messenger, as MySpace did with GoDaddy's collusion,
    simpy reveals their own incompetence and lack of comprehension.
    It's thus hardly surprising that this is not the only security issue
    they have.

    And now they have -- by their very ill-advised handling of
    this incident, especially given Fyodor's well-deserved standing in
    the community -- sent the message to all security researchers that
    they are much better off NOT reporting or discussing any problems
    with MySpace publicly.

    This is an amazingly stupid move. They *might* be able to undo
    the damage if they issued an unconditional public apology to Fyodor,
    in which they admit that they were completely wrong, AND in which
    they offer to pick up the tab for his expenses in moving. But I doubt
    that will happen.

    Pity. Perhaps one day, when they've reaped what they've
    sown, they will learn.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    FIREDOG, Jan 26th, 2007 @ 11:55am

    Re: dude

    You need to understand that sites like this are not doing this to hurt the public... It is doing it to show you that there is a security problem with this company (MySpace) and that users need to be aware! MySpace should be thanking them for showing the security flaws so they can fix them...

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Ben Butler, Jan 26th, 2007 @ 4:10pm

    GoDaddy Response

    I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy – child exploitation or even the potential for it. I don’t know of any parent who wouldn’t want their child’s username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc Abuse@GoDaddy.com

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Oh Well then!, Jan 26th, 2007 @ 6:55pm

    Oh, it's for the children!

    Oh PLEASE,

    The readers of Techdirt are a bit too sophisticated to fall in line for that tired old saw.
    Aside from the fact that most of the "members" of MySpace are not children as such, the same information is still available on many other lists and archives.

    The genie was out of the bottle, your cork was too late & useless for preventing the spread of the information.

    The timing of your actions appears to be not what you have claimed, one minute is not one hour.

    I am removing all of the (at least it's only 5) domains I have registered with you to another registrar that will actually call me & give me time to respond iff something like this happens on one of my systems.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Area66, Jan 28th, 2007 @ 2:36pm

    DNS/server

    This just points out why we should run multiple DNS servers under our own control (you can do this).

    And multi-homed servers (mirrors - this isn't a how to, so overlook the lack of detail) of our sites (you can do this also).

    The level of redundancy (and number of distinct countries you operate in) is up to you. By doing this no one will ever take your site down.

    Cost - yes.
    Technical know how - a requirement.
    Knowing the only way to take your voice down is to take down the entire net - priceless.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    sean melendrez, Feb 4th, 2007 @ 10:47pm

    no

    please dont shut off myspace

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Apr 27th, 2007 @ 4:00pm

    MySpace has been shown to be used by pedophiles to find their next victims.... By MySpace's logic they should take their own site down, just to protect the kids. Anyway, I am having serious thoughts about moving my 20-30 domain names to another registrar......

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Bob North Smithfield, Sep 4th, 2007 @ 5:33pm

    My Space and "Security" On Not On The Same Page.

    Just my opinion.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    fodder99 (profile), Jul 11th, 2012 @ 7:24am

    Myspace hardly gets a mention in the press nowadays. Just as I imagine the same thing will happen to twitter in 5 or 6 years too.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This