Comments on: GoDaddy pulls security site after MySpace complaints

A host of mailing list archives disappears after thousands of MySpace usernames and passwords are archived on the site.

[ifoster]

where did they get the information

The real bit of news that I would like to see is where and how Seclists.org got the information.

[Kelson]

It's a mailing list archive.

Seclist.org includes archives of several security-related mailing lists. The link to the site owner's email announcement explains:

"Anyway, everyone has this latest password list now, and it was even posted (several times) to the thousands of members of the fulldisclosure mailing list more than a week ago. So it was archived by all the sites which archive full-disclosure, including SecLists.Org."

[ifoster]

where did they get the information

The real bit of news that I would like to see is where and how Seclists.org got the information.

[JoeF2]

It is all over the place

On pretty much all security lists, including a description on how the information was obtained (through an overlay on the browser window).
MySpace needs to get a clue. Security through obscurity doesn't work. They should focus on fixing their system instead of going after mailing list mirrors.

[System Tyrant]

GoDaddy is bad.

Well with the information that I have on the subject I going to say that MySpace and GoDaddy were both in the wrong on this one. Given the nature of the information I can certainly understand the desire to get it off the web, but it sounds to me like it's already all over the web.

I think the truth is that GoDaddy either didn't investigate the objectionable material or they did a **** poor job at investigating it. Frankly, it's my opinion, which isn't worth much, that GoDaddy screwed up and so did MySpace.

Lucky for me I use neither and after this I don't plan on using GoDaddy. Not that they care.

[Thomas, David]

GoDaddy did the right thing

As SOON as you find security breach information being posted
on a website, you should ALWAYS immediately remove it. Then
a persistent effort MUST be made to contact the owner of the
website. I am not sure how the last part of that played out. But
anyone complaining that GoDaddy bent over, is a complete idiot.

If YOUR user names, and passwords were posted on a website,
the last thing you want is a negotian to take place before that
confidential information could be picked up by even more
people.

What occurred with the security site, was NOT free speech. It's
called aiding and abetting. I hope most of you aren't so
completely devoid of rational thought would think that GoDaddy
was somehow wrong.

[solrosenberg]

Nope

No, if my usernames and passwords were posted on a site, the first thing I would do is CHANGE THEM. The second thing I would do if find out how they got on the site in the first place. Removing the site from the DNS is shutting the barn door after the horses are long gone.

If someone posts a list of usernames and passwords in this thread, should news.com be taken offline?

[kobe wild]

Dont use Godaddy

The point of the story is:
Godaddy has in the past set restriction on what you can do with "Your Site"
if its registered using godaddy.
That's the number one reason I would never use them to host my domain name.
It's one thing to take down your site if you were hosing your site web pages with them.
It's completely another if your just using them as the domain name register.
Who electing you as the web police, godaddy sucks.
Don't even think of registering a p2p site or a torrent tracker with them.
If they don't want to host the domain name fine but they have also in the past
refused to release a domain name back to the owner of that domain.
He wanted to move that name to a different provider after godaddy decided
to pull domain name from there dns.
Don't register your name with godaddy it?s cheap for a reason.

[inachu]

Godaddy is not the police and should not act as such

Other than deleting websites related to trojans and spam Go Daddy has no right to be the ethical thermometer of the internet.

if there is something wron legally then police or some law enforcement should be involved. To do this at a whims notice make it appear as if they have some bubble gum chewing teen age girl trolling the Godaddy registry with the finger over the delete key. Go Daddy should have been neutral in this issue until notified by law enforcement.

[kjkenney2]

wow...

Alright, but this was not a legal issue. It was a huge invasion of privacy. My guess is that most people defacing GD here do not have a MySpace account as well. Otherwise they would realize how uncomfortable it would make one feel to know that their login info is availabel to millions. You need to follow the terms of service of any host and if you don't, you should expect retaliation. It would have been way too long if they had've waited for the 'law' to be involved

[christinamedia]

Am I in the Twilight zone here???

When it comes to the internet and big conglomerates (ahem...Myspace.com) the public is first to take the underdog under their wing, and bash the million dollar corporations. But, these big bad conglomerates wouldn't have gotten so far keeping their client's personal info, passwords, etc. over the internet where it shouldn't be visible. They censor that crap, as they should! I for one, say THANK YOU Godaddy.com for looking out for the little people! Every MySpace user should too...Read my whole, mean little article Here: http://niche-tech-news.blogspot.com/2007/01/godaddy-hosting-lays-down-for.html

[Bamont]

Freedom of Speech has never been Free.

The idea that we're all protected because of some big moral standard is ridiculous. People shouldn't expect to have these freedoms, and if any of you had actually read the court cases that document Free Speech, you'd come to find out that it's actually a matter of interpretation over Freedom of Expression.

None of this has anything to do with it.

He wasn't expressing anything - the website was documenting mailing lists and god only knows what else. This is a ruthless world, and since the Internet is difficult, if not albeit impossible, to police - there's no way that, legally, anything could be done about this.

Myspace services millions of people, many of whom are not internet savvy enough to protect their own information. Now, because they offer this service, if anyone gets caught with identity theft or any other precluding situation - and it's somehow tracked back to Myspace, that's a PR nightmare and could infringe on their advertisers and their ability to make money.

I sincerely doubt that's a risk they're willing to take. Myspace operates within the United States, a capitalist society - some of you need to get over it.

Freedom comes at a cost, and it's the greatest good for the greatest number. Had this country not lived by that motto for so many years, we would have fallen a century ago.

[jdbwar07]

What a bunch of garbage

If you're really that offended by freedom of speech and think that people "shouldn't expect to have these freedoms", you're free to move to China or North Korea.

"Freedom of speech isn't free" what a load of BS. In the US it's a fundamental right, guaranteed to everyone in the constitution. Obviously there are exceptions, you can't yell "Fire!" in a crowded theater, but it's not the job of the government or ISPs or whatever to police what everyone says just because it offends someone.

Could that mean that there will be some bad information out there? Of course, but that's the price we pay to live in a free society. Like I said, however there are a few countries in Asia and the middle east that will gladly "protect" you from all that.

[DeusExMachina]

Frre Speech has ALWAYS been free

All stupid platitudes aside, this silly, pseudo patriotic notion that
"Freedom of Speech has never been Free" runs counter to EVERY
tenet upon which this country was founded. No where does ANY
founding document talk about freedoms, including speech, as
something provided by government, or earned by its citizenry.
Instead, our founders (most of them, anyway) were quite clear in
their belief that these freedoms are FUNDAMENTAL, innate and
inalienable, and that government only served to secure them.
Contrary to popular myth, free speech IS absolute. I have EVERY
right to "shout fire in a crowded theatre," for instance.
I also, however, have the responsibility to endure the
consequences of those actions. If everyone yells at me to shut
up and sit down, no crime has been committed. If I print words
that defame a person, and these words are not true, then I am
liable for the damages caused. This is as it should be. At no
point, however, am I prevented from printing the words in the
first place.
Shouting idiotic slogans like "Freedom of Speech has never been
Free" may make you feel all cozy and compatriotic with the Toby
Keith crowd, but it and its sentiment have never had any
business in this country.

[alt130]

Phishing

Most likely they got the info via phishing, not an actual security breach. The weakest point is always the users.

That said, Myspace should have taken immediate action upon seeing the list to disable the passwords on the accounts affected, and contacted their users. That would solve the problem, instead of this pathetic cover-up. Glad to see the parties involved are being exposed for their actions.

[sheba94601]

My Space does contact members & solutions

My Space does contact users when there's a problem & provides fix-its, so they probably did contact owners of these passwords at the same time they contacted GoDaddy

[christinamedia]

wow.

Thank you, did you actually write a thoughtful comment on this article? I was having trouble seeing through the thick cloud of sheep tripe being spewed all over it. Kudos.

[mentalacuity]

Time for a New Registrar

I have been with GoDaddy for a few years now. I guess I will be moving on as well.

[ThisIsNotMyHandel]

It was just MySpace

All of you here defending GoDaddy stating that security is a number 1 priority and that what they did was right are foolish. You are acting like there was a list of passwords to nuclear missiles, credit cards, or even email accounts.

These were MySpace accounts. MySpace accounts have no value. MySpace is an entertainment site. I do not use MySpace and think that it is a joke and serves no purpose. I do think that MySpace should have responded to this by locking down the affected accounts and sending emails to those accounts to reactivate them.

GoDaddy has far worse web sites registered to them. I agree this is similar to taking down google because they provide CD-Keys in their search results or torrents of pirated material.

GOD WAKE UP IT IS JUST MYSPACE!!!!!

[godaddyabuse]

GoDaddy Response

I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org.

As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action.

In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time.

In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour.

In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is.

An important issue I would ask you to consider is one that is a top priority for us at Go Daddy ? child exploitation or even the potential for it.

I don?t know of any parent who wouldn?t want their child?s username and password protected.

Ben Butler
Director of Network Abuse
The Go Daddy Group, Inc
Bbutler@GoDaddy.com

[flashfast]

Well done.

What was lost? 7 down hours of the domain. I believe godaddy
did the right thing, and as a custtomer of 7 years, and having
used several other services, one which tried to disallow me
renewing a domain so that another customer could buy it, I
cannot recommend G D highly enough. 48 hours is a reasonable
expectation for response, though I've found it to be often only
an hour or two. Godaddy have become the leading domain
registrar (I watched them grow from almost nothing) because
they have consistently treated customers with respect.

[techgeek76]

Haked site on GoDaddy

A couple of months a go a person that has a domain had a site hacked. Your company promised an investigation. That person did not hear a thing yet. That person paid 150.00 dollars for a restore with horrible results. He was promised that the site would be restored to the way it was before. It was not. As technology people we will make sure the word gets out about the horrible customer service.

[Machinka]

Ohhh.. for the children

Whenever anyone uses the excuse of protecting the children, my BS meter flys off the red.

If you want security, go to prison. You will be secure and provided a bed, food, clothing, and an education. The only thing you wont have is your freedom.

GoDaddy, Gone.

[Truth Speaker]

Hiding behind procedures and scare tactics

GoDaddy censors in the name of "following operating procedures" and protecting the world from child exploitation.

They have no right to shut down domains that are hosted elsewhere, but they do it because they can. Customers who have paid to register domains but host them elsewhere are under constant threat of censorship with GoDaddy.

There are more trustable registrars out they and they cost less money too.

[Hardrada]

Looking for a new registrar?

I recommend gandi.net. They're excellent. Not as flashy and feature-packed as GoDaddy, but their business practices are much, much better.

[kjkenney2]

ooh boy

Yeah higher prices and no phone number on the site sound awesome! Wow! email support within 48 hours! sounds amazing! greeeaaaat suggestion...

[olasycomida]

The responsibility is with MySpace

MySpace should have changed the accounts to a random password and emailed their users. These are because their crappy interface makes phishing attacks easy to execute. It would be a different story if GoDaddy was hosting the content, but they are providing domain name service, they should have told the myspace staff to contact the sysadmin of the host.

[kjkenney2]

I feel safer knowing this happened

As an avid GoDaddy and MySpace user, I feel the right thing was done in this situation. Free speech has its limits. This is no different than if I had a site that listed hundreds of usernames and passwords for your registrar accounts or credit card numbers or any other accounts. MySpace is a personal place too. I had my account hacked into before and feel horrible knowing that someone was in there looking at my personal information. Knowing GoDaddy, the site will be put back up in no time if the information is removed. This is not bad. Talk to anyone who has an account with Myspace and you will understand.

[samiamtoo]

"MySpace = the new AOL"...

Here we have a comment from a typical MySpace user - i.e., a mental weakling who can neither read nor think. The password list was one that had previously been stolen by crackers, and was in wide circulation on the internet. It was published as part of an archiving service similar to the wayback machine, but specifically geared to exploits. Consensus opinion among security experts (at least among those who are not owned by companies selling proprietary security software) is that security is increased by publication of exploits, so that the problems leading to the exploits will be known and addressed. The real security problem here is the rank idiocy and incompetence of MySpace and its users who stupidly fell for the phishing schemes that allowed the collection of passwwords in the first place.

[soldidude]

Comparing this to dumb things

Quit comparing myspace accounts to those that require storage and usage of personal financial data or other important accounts.

Of course, anyone reading the comments of 'avid' myspace users can pretty much discount them as uninformed and ignorant. I keep a myspace account for research and I assure you that there is NOTHING educated or impressive about its user base that would lead me to believe that they should have the slightest clue that the problem IS myspace, not the sites exposing their irresponsible practices.

[kjkenney2]

Hm...

Yeah, but they're not hosted with them. custom domain hosts indicate they're running they're own server. May not be with GD. If it bugs you then report it. sheesh.

[kjkenney2]

Obviously...

You don't realize how many kids have MySpace accounts. Little kids. I can think of at least 10 kids under the age of 16 that have an account with them. It's kind of a big deal. Do you have any kids? nephews? nieces? ask them if they have one and I'm sure you'll get a big 'Yes'.

[techgeek76]

GoDaddy

I have heard that GoDaddy domains are easy to hack. A friend of mine had a problem. Kind of being hypocrites.

[techgeek76]

Hacked site

WOW. Listen to this one. A friend of mines site was hacked and things were deleted. they charged him 150.00 dollars for a restore with no results. They promise his information would be restored. I am going to cancel my accounts with them.

Go with 1and1 they rock.

Their prices and service are the best. They have everything you need

Here is the link

http://www.1and1.com/?k_id=7926664