MySpace And GoDaddy Shut Down Huge Archive Of Security Mailing Lists

from the silly-companies dept

Rich Kulawiec writes in to point out that Seclists.org, a site that archives various security-related discussion email lists (and run by Fyodor, author of nmap, and generally well-known within the security realm) was yanked offline completely yesterday thanks to a bogus complaint from MySpace to the registrar/hosting company Fyodor used, GoDaddy. It seems that MySpace was freaking out that yet another big list of MySpace usernames and passwords had leaked (and spread all over the net). So, they went into damage control mode. A few copies of the MySpace list had been mailed to one of the security mailing lists archived as Seclists, and rather than simply asking that they be removed, MySpace went straight to the hosting company to get the entire domain turned off — which GoDaddy did without question (or giving Fyodor a chance to appeal). In other words, they shut down a huge domain full of useful information that was used by a lot of people, over one complaint on some information that is widely available all over the internet. Fyodor also notes that these types of bogus requests to hosting companies and registrars are only increasingly lately. It seems like there may be an opportunity for a registrar hosting company to advertise that they don’t wilt at the first sign of legal language, and at least give their customers a chance to respond.


Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “MySpace And GoDaddy Shut Down Huge Archive Of Security Mailing Lists”

Subscribe: RSS Leave a comment
20 Comments
Bryan Price (user link) says:

That's another company

for me to not do business with. Not that I have.

27B Stroke 6 carries some good details.

GoDaddy got back to me. General counsel Christine Jones defends taking down SecLists.org, saying that Fyodor had close to an hour to respond to GoDaddy’s voicemail and e-mail warnings yesterday, and didn’t.

“We couldn’t reach him, and because the content was hundreds and hundreds of MySpace user names and password, we went ahead and redirected the domain to remove that content,” she says.

“For something that has safety implication like that, we take it really seriously,” she says. “For spammers, we give people a little bit of time to respond to us.”

Jones stands by the decision.

“Should registrars be involved in this? I’m not sure,” she says. “We’re the largest domain registrar in the world, and my view is, for $8.95 its not okay for somebody to come and use our services to harm other people.”

—–

Update

Fyodor responds:

Fyodor also sent in his timeline of events, supported by copy of the voicemail (.wav) from GoDaddy telling him he was scheduled for suspension, and the e-mail message telling him he’d been suspended. The difference between the two appears to be one minute, not one hour.

I called back Jones, and she admits she doesn’t know exactly how much notice he had.

“I think the fact that we gave him notice at all was pretty generous,” she said.

That’s absolutely sad and horrible. I will refuse to do any business with them.

Paul says:

Re: dude

Sorry, I think you’re missing the point: seclists.org didn’t create the content, they just happened to have the site where it was posted.

What should have happened is this: MySpace contact seclists.org, with a court order if they thought it necessary, to remove the content from the site. Then, if they wanted to sue/prosecute someone, they both work together to go after the people who made the post.

Getting the *entire* site removed from the internet because somebody made a post is completely wrong both on the part of MySpace for contacting the host instead of the site, and on the part of GoDaddy for just blindly following the request instead of negotiating with their own customer.

Anonymous Coward says:

getting worse indeed

I work for a hosting company and we just had to hire a full-time tech/legal person dedicated to handling these kinds of complaints.

If MySpace’s complaint was anything like what we get on a regular basis then it probably threatened to sue GoDaddy if they didn’t take it down. Of course, I’m pretty sure there’s lots of precedent that says we’re not at fault but your typical support tech at any hosting company isn’t going to have the legal expertise to figure out whether or not the complaint is completely bogus and so I imagine most are trained to just comply and wait for the customer to complain. If they don’t complain then the site either wasn’t important or they were in the wrong and they know it. At least that’s what I imagine happens.

We laugh them off unless the complaint also violates our TOS. If they threaten legal action, we tell them to have their lawyer contact us. Most complaints just disappear with that one.

NoverNetSBandit (user link) says:

hosting

there used to be days when hosting companies didnt worry about petty shit… like days of the old credit card generators.. aol 3.0 days that were hosted thru such sites as geocities or 2600dotcom why do we all scare so easily now to threats… last i checked anyone can still post what they want to there own site. I hosting companies in the us have got to worried about who, what, when, where then they have to.
What happened to the days of old?

Michael Vilain (profile) says:

It's a good thing and a bad thing

GoDaddy is well known for being a chickenshit about any complaints. At $9/site, they aren’t going to spend a lot of money in court or with lawyers dealing with any complaints, legal or otherwise. It’s in their terms of service, plain and simple. For someone who uses them to host a critical domain, tuff titties. Should have gone with Network Solutions or some other registrar that doesn’t care.

On the plus side, spammers choose GoDaddy a lot. When I report spam or phishing to them from sites they’re the registar, they usually take it down. No court order needed, just a LART email.

Rich Kulawiec says:

dude

You’ve missed multiple points here.

The URL of the entire username/password list was posted to a PUBLIC
mailing list with multiple PUBLIC archives, of which Fyodor’s is only one

At that point, the game is over. There is no point in even thinking
about trying to suppress the information by any means. It’s in the wild,
and no posturing, threatening, or anything else will undo that.

The only things that can be done are (a) to notify the affected users
(b) to change their passwords — don’t wait for them to do it —
(c) to figure out how this was done and take steps to avoid a repeat
(d) to alert all MySpace users, since nothing guarantees that the list
in question included *all* compromised accounts and (e) to publicly
apologize for the problem.

Shooting the messenger, as MySpace did with GoDaddy’s collusion,
simpy reveals their own incompetence and lack of comprehension.
It’s thus hardly surprising that this is not the only security issue
they have.

And now they have — by their very ill-advised handling of
this incident, especially given Fyodor’s well-deserved standing in
the community — sent the message to all security researchers that
they are much better off NOT reporting or discussing any problems
with MySpace publicly.

This is an amazingly stupid move. They *might* be able to undo
the damage if they issued an unconditional public apology to Fyodor,
in which they admit that they were completely wrong, AND in which
they offer to pick up the tab for his expenses in moving. But I doubt
that will happen.

Pity. Perhaps one day, when they’ve reaped what they’ve
sown, they will learn.

Ben Butler (user link) says:

GoDaddy Response

I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org.

As we have said to our customers – Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action.

In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time.

In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour.

In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is.

An important issue I would ask you to consider is one that is a top priority for us at Go Daddy – child exploitation or even the potential for it.

I don’t know of any parent who wouldn’t want their child’s username and password protected.

Ben Butler
Director of Network Abuse
The Go Daddy Group, Inc
Abuse@GoDaddy.com

Oh Well then! (profile) says:

Oh, it's for the children!

Oh PLEASE,

The readers of Techdirt are a bit too sophisticated to fall in line for that tired old saw.
Aside from the fact that most of the “members” of MySpace are not children as such, the same information is still available on many other lists and archives.

The genie was out of the bottle, your cork was too late & useless for preventing the spread of the information.

The timing of your actions appears to be not what you have claimed, one minute is not one hour.

I am removing all of the (at least it’s only 5) domains I have registered with you to another registrar that will actually call me & give me time to respond iff something like this happens on one of my systems.

Area66 says:

DNS/server

This just points out why we should run multiple DNS servers under our own control (you can do this).

And multi-homed servers (mirrors – this isn’t a how to, so overlook the lack of detail) of our sites (you can do this also).

The level of redundancy (and number of distinct countries you operate in) is up to you. By doing this no one will ever take your site down.

Cost – yes.
Technical know how – a requirement.
Knowing the only way to take your voice down is to take down the entire net – priceless.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...