GoDaddy pulls security site after MySpace complaints

A popular computer security Web site was abruptly yanked offline this week by MySpace.com and GoDaddy, the world's largest domain name registrar, raising questions about free speech and Internet governance.

MySpace demanded that GoDaddy pull the plug on Seclists.org, which hosts some 250,000 pages of mailing list archives and other resources, because a list of thousands of MySpace usernames and passwords was archived on the site. GoDaddy claims its customers own about 18 million domains.

GoDaddy complied. In a move that Seclists.org owner Fyodor Vaskovich said happened with no prior notice, the company deleted his domain name--causing his site to be effectively unreachable for about seven hours on Wednesday until he found out what was happening and removed the password list.

"They didn't tell me why they removed the site," Vaskovich, creator of the popular Nmap security auditing utility, said in a phone interview. "At a very minimum, we should get warning."

Vaskovich said he spent "hours and hours" on the phone with GoDaddy on Wednesday before he finally got through to someone who was willing to listen. As a result of this experience, he said in an e-mail announcement, "I'm in the market for a new registrar. One who doesn't immediately bend over for any large corporation who asks."

For her part, GoDaddy general counsel Christine Jones defended the abrupt deletion, saying: "We tried to contact the registrant, but they were not available at the time. To protect the MySpace users from potentially having private information revealed, we removed the site."

Jones pointed out that GoDaddy's terms of service say the company "reserves the right to terminate your access to the services at any time, without notice, for any reason whatsoever."

Jones and Vaskovich, however, tell substantially different versions of exactly what happened. Jones characterized the episode as lasting only about an hour, saying her abuse department unsuccessfully "tried to contact" Vaskovich and "he actually contacted us about an hour" later after the removal occurred.

But Vaskovich provided CNET News.com with a log of correspondence from GoDaddy that corroborates his version of the story. It indicated that only 52 seconds elapsed from an initial voice mail notification to the time the domain was marked as "suspended." GoDaddy did not immediately respond to follow-up questions.

Vaskovich says MySpace did not contact him directly. MySpace declined to respond to repeated inquiries on Thursday.

Michael Froomkin, a law professor at the University of Miami who has written about domain name regulation, says this is the first time he's heard of a registrar abruptly taking a customer offline without a court order.

"Some people might feel safer with a registrar that's a little more pro-customer," Froomkin said.

Froomkin said this week's incident raises novel free speech questions--not legal ones, as long as GoDaddy's terms of service are broad enough. Rather, he said, the issue is "the quality of their review" of complaints received from firms like MySpace.

GoDaddy's Jones said that "we're not knee-jerk--we try to be responsible about verifying complaints." There's a broad spectrum of policies among domain name registrars, she acknowledged, with GoDaddy "probably the most aggressive."

But, Jones said, GoDaddy has a 24-hour abuse department that deletes domain names used for spam or child pornography on a daily basis. "We're not here to allow people to put illegal content on the Internet," she said. "We take this safety and the security of the Internet very seriously...We take our responsibility pretty seriously. We're the largest registrar in the world."

When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: "I don't know...It's a case-by-case basis."

[Dr_b_]

A password list?

That list could have been anything, real or not. Wouldn't the first step have been for myspace to contact the site owner, and then the ISP, rather then trying to shutdown the domain? Isn't that a bit weird? And that doesn't shut down the site entirely, the content is still there, and the site is still on the internet if you know the IP or know how to get it. What is myspace doing to secure its accounts, isn't that the real worry? Myspace isn't a bank, where I could have understood to some extent the domain being pulled if it were, or something equally serious, after getting a court order to block it when all other attempts have failed. So was having that list on the internet illegal in some way? Every goddady customer should be shopping their domains to a responsible registrar.

[theguitarizt]

official announcement

<a class="jive-link-external" href="http://seclists.org/nmap-hackers/2007/0000.html" target="_newWindow">http://seclists.org/nmap-hackers/2007/0000.html</a>

[ebaydude]

Close it down!!!

The damage that can be done by someone downloading the offending material in even a few seconds access is far greater the the upset of some who could not access the site.

I am glad the this corporate act was in the open, done quickly, and well explained eventually.

I would gone one step further and insisted that I see tha the offending material is off the site before it was allowed back up!

[sheba94601]

A thief is a thief regardless what he steals, LOCK HIM UP!!

Dr-b-, are u freakin NUTS?! Your post was the dumbest post I've ever read &#38; you obviously haven't researched whats causing majority of the problems on My Space before being so critical. You whine about how My Space complained to GoDaddy, then you turn around &#38; ask what is My Space doing to secure it's accounts...duh. No, My Space isn't a bank but all the damage that's being caused by hackers,spammers, etc obtaining passwords (account info)which lead to a wide range of vicious attacks, trojans, phishing, indentity theft &#38; viruses on our personal computers, you'd think they were trying to hack a major bank. There should be a law against &#38; 5 yrs. max for trifling idiots who have no real lives &#38; nothing better to do but break into other ppls passwords, accounts...worse yet, spreading it around! I continously have to go back &#38; forth w/ My Space techs behind of new &#38; old attacks on different member accounts from various pc's of friends, regardless how much protection we all use! It's sickning. My Space helps to keep our youths busy &#38; off the streets in disadvantaged &#38; urban communities, teaches them how to build &#38; manage web pages, take interest in computers, etc..but try having to explain to them why suddenly they can't click &#38; read messages from friends or visit other kid's creative pages b/c some lame may have stole this member's password &#38; put malicious codes in their editing section or spamming others w/ trojans, etc, pretending to be these members. Try explaining to your 'own' kids why idiots do bad, senseless things to spoil all the fun in life &#38; what makes idiots tick! There is no explanation to a logical decent human being.

[lonny paul]

Registrars only Controlled by Money

The domain registrars are amazingly spineless and some exist only to trade domain names during their non-registered periods. It's funny, registrars are the last to have any involvement with a website's operation, however, the hosting provider (which it seems in this case perhaps GoDaddy was also the host) has every responsibility under the DMCA to shut such things down. There ARE written procedures and steps necessary, which are detailed clearly by each hosting company.

I have shut down several websites over time without people getting much notice at all - mostly for reasons of defrauding customers of money trying to pose as other companies or organizations.

But sometimes, ISPs / Hosts and namely registrars are unhelpful and some are even accused of being the malicious ones int he bunch. Bob Parsons and GoDaddy are some of the most upgright registrars there are - organizations around the globe "float" domains - and Mr. Parsons is against this in every way, as we all should be.

ICANN has no control. .TV does whatever they want - at least people should have rights regarding proper notification methods. Also, if only a page of a website or pages(s) of a website are the problem, only THEY should be removed, unless they are a majority of the website.

Publishers have rights as well as others, however, we must always remember that your security may have been at risk in this case.

[danegeld]

No he's not

You might want to look into Bob Parson's history before you call him "upright". He used to have a punching bag in his office so he could hit that instead of his employees. What does that tell you about his character?

[0x90]

Huh?

"..we must always remember that your security may have been at risk in this case."

User security of myspace is the problem of myspace. Not everyone else, and not SecLists.org (well respected security information).

cat myspace &gt; /dev/null

[Carusk]

dont use godaddy

only 52 seconds jeeze, thats alot of trying, maybe a techie at godaddy had his myspace account on the list and fast tracked this :P

[lwrules]

yet godaddy continues to protect a known myspace phisher

20 complaints lodged and not even one response and the phish is still live:

<a class="jive-link-external" href="http://stalkertrack.com/promotion.html" target="_newWindow">http://stalkertrack.com/promotion.html</a>

[kieranmullen]

Stupid GoDaddy Techs

Could havejust changed the DNS server for his domain and locked his account. More DNS servers are set to update much quicker that they used to. It is possible to have dns information replicated in a hour... a far cry from the 24-48 hours it used to be.

KieranMullen

[0x90]

Process

They should have done the right thing and just called Fyodor instead of shutting it down with no questions asked. It is stupid that some big corp can just call up godaddy and yank the domain. There were better ways to deal with that.

[kieranmullen]

Stupid GoDaddy Techs

Could havejust changed the DNS server for his domain and locked his account. More DNS servers are set to update much quicker that they used to. It is possible to have dns information replicated in a hour... a far cry from the 24-48 hours it used to be.

KieranMullen

[CBSTV]

GoDaddy has lost my business

I just moved my domains away from GoDaddy. It is wrong for them
to delete customers' domains without a legal court order.

[Havrenko]

how did myspace get it's start?

I got spammed by them mercilessly when they first launched. With their crap design and unprofessional marketing I thought myspace was just something a coder in his basement put together along the lines of a hotornot type site.

Did myspace get busted for spamming? Not as far as I have ever heard.

[kjkenney2]

Actually...

They did..hence them not doing it anymore... Dur.

[perfectblue97]

Let me get this straight....

....A third party published a list of Myspace usernames and passwords on Seclists.org? Myspace found out, and Godaddy pulled the domain?

[0x90]

Yup

That's about right.

[kpolillo]

godaddy ruined my life !

I had over 20 domains registered with godaddy for various clients. One of my clients was sending Opt-In email lists from his domain which generated some complaints and godaddy responded by suspending all my domains including the domains of a high school band and a pet rescue organazation that I hosted. They then refused to even let me transfer the domains to another registrar until I paid them $250.00 per domain name "suspension fee".

[maxo3]

I don't beleive your story...

Your not telling all details. If you were hosting with them they have every right to suspend service for spamming. Opt-in or otherwise. You just bitter and want to vent.

[kjkenney2]

LOL

haha, great story. if only it were true. You should save that for parties and stories to your grandkids someday.

[wbenton]

GoDaddy is serious about their domains

If you did something to get on their blacklists... then what you did was awful as they don't just remove a domain without due cause.

As for removing all of your domains? I find that hard to believe. They might have removed one... but if you uploaded the same stuff to another domain you had... then I could forsee them closing down one after the other of your domains... but it's sorta hard to believe unless you repeatedly violated their TOS.

GoDaddy did the right thing this time around. I don't have the details about your case to say anything futher than it's a hard to believe smear story!

FWIW

[michaelo1966]

GoDaddy did the right thing

A hacker once attached my ex's website and pulled it down: a non-profit but popular women's health site. The hacker defaced it w/ links back to his own website, called blackartshacking (or something like that -- don't remember).

RackSpace was their host and they did take the server offline, but only long enough to find the server owner who admitted selling subdomains to the hacker (who admitted the attack). They put the site back on w/ a verbal promise that they no longer hack -- yeah, right -- and refused to give me the hacker's real name w/o a subpoena.

I think GoDaddy did the right thing in taking the site offline. In fact, I disagree with their eventual decision to restore it. There is no excuse/reason to publish a list of uid's/passwords and no responsible ISP should publish that. If something really wants the info online they can set up a personal webserver in their house and lead the FBI to their own door, rather than hiding behind an ISP.

[0x90]

Clueless

You are so clueless. SecLists.org provides access to some of the best security information available. They don't control the content - they simply provide the transport. It'd be about like shutting down Google because they return "hacking" information (and the kludgey myspace password lists).

[Starryid1]

GODADDY DID THE RIGHT THING

I'm with whoever wrote this. I and a lot of others I know use myspace and....well, it doesn't take a brain surgeon to figure it out.
They did the right thing.

[rcrusoe]

Great commercials, but no thanks

GoDaddy knows how to make "interesting" SuperBowl commercials but if this story is correct, I'll never give them any more business.

IMO, you can't make this kind of business decision without talking to both parties or receiving a court order.

[andrew999999999]

Not the first time...

Kudos to CNET for shedding light on this. It's ironic that GoDaddy, led by free speech advocate Bob Parsons, would let this happen. But it's not the first time a registrar has been in this position:

<a class="jive-link-external" href="http://domainnamewire.com/2007/01/26/godaddy-faces-pr-nightmare-over-domain-suspension/" target="_newWindow">http://domainnamewire.com/2007/01/26/godaddy-faces-pr-nightmare-over-domain-suspension/</a>

[phantomsoul]

Its about Security

If your site host determines (by their own means or someone else's advice, as in this case) that the content of your site is posing a significant compromise to the security of the general Internet and the content owner cannot be immediately reached, the site has to be suspended until the owner can be reached. MySpace is a very large and popular site, and millions of people's identity preservation depends on the security of MySpace -- so to that end, this is pretty significant.

I mean, what else are you gonna do? Continue compromising the Internet's security so your client doesn't start whining and stomping his feet? Let's grow up here folks.

That said though, I would only validate this argument on things that are obviously accepted to be mass security threats. ISPs/Registrars should never be allowed to demote content because of conflicting social opinion, political opinion, etc. THAT would be just plain censorship then.

[alt130]

If it's about security, then why not do it properly?

What they did here did little to protect Myspace users. The information was already out.

What Myspace should have done was taken the list of compromised accounts, piped them into a simple script to disable the passwords, and send an email to the affected users. Why didn't they? Probably to try to save themselves the embarassment. Instead, they took the less secure route and had another website shut down.

So, in addition to this disturbing action, the problem still hasn't been resolved. Good work, folks.

[JoeF2]

It is about Security at MySpace

"Let's grow up here folks."

Yes, let's grow up. MySpace and the MySpace users have an obligation to protect their passwords. If they can't, THEY are the ones that should be suspended.
Security through obscurity is NO security. In fact, this list is available through other security mailing lists (I don't subscribe to Fyodor's list, but I have seen it through other lists.)
Instead of complaining to GoDaddy, MySpace should have suspended their users until they have changed their passwords. THAT is the grown-up way to handle these things.

[whatisgoingonnow]

What about MySpace Data Security?

I'm just curious about how a list of MySpace user names and passwords were even available to post. Doesn't this point to a flaw in MySpace Data Security and their ability to protect their user's information? MySpace should take responsibility for the data compromise. They are the real problem, not seclists.org.

[chort0]

Great, now I have to find a new registrar

I liked the price and the usability of GoDaddy. Their tools are
really good.

Now I need to find a registrar that won't shut me down at the
request of some large corporation that I might happen to offend.

Don't any companies worry about Customer Service any more?

--
chort

[OneWithTech]

Go Daddy is in the right on this.

It's easy for you to say that your going to get another registrar
but those of use that manage anywhere from 10 to hundreds of
domains know how hard it is to get this done. So lets not try to
steer the issue because of those that think that GoDaddy was in
the wrong.

Think of it this way, do to our very Congress the WWW is a
freeway that is out of control. Although Congress would like to
think that the States could bear the burden of regulating
technology; that fact is that they [the States] can't effectively do
this and it has been proven time and time again.

Through a lack of Congressional involvement on the internet
Child Porn flourish's and identity theft increases from 1 in 8
adults affected last year to 1 in 6 this year.

I don't know about any of you but I do know that human nature
tells us that Federal Laws are serious and BIG FINES hit us in the
pockets were it counts the most. So until Congress decides to
get off there A*S*S's and decide to take the plunge and tackle
the serious issues of the net that they have been avoiding for
years now.

It's not GoDaddy's fault in this issue. GoDaddy was only
ensureing our safety and if you think that you need to go to
another Domain Name provider because of this then maybe you
too have something to hide that only a Federal Law will take care
of?

Think of this, a DeadLock for a year over the AT&#38;T / Cingular
deal (Technology Based) and 2 weeks before the Cingular backed
iPhone debuts Congress gets off there ass's and does
something! Is that what it's going to take to ensure that my little
boy and little girl stay safe on the net. Am I going to have to go
to the HILL and offer all of you Congress People money to keep
my kids safe and people like my brother from stealing my
identity (He just go out and is still doing the same ****).

So don't blame GoDaddy for protected US digitally. Blame
Congress for NOT Protecting US digitally.

J Gund
Tech01
justingund@gmail.com

[Penguinisto]

No, they are not. This is why:

Otherwise, I could shut down any website I wanted to so long as there was a way for me to post something to that site.

All I would have to do is upload some objectionable content to the comments or public-facing data entry section of the site I wanted taken down, then report its existence (while pretending to be someone else) to an authority or copyright holder hyper enough (and big enough) to get the site taken down.

Congress itself needs to stay the Hell away from the Internet - Yes there are bad things on it, but governmental bodies tend to make a bigger mess than the ones they originally wanted to clean up.

/P

[mbreese]

You didn't read the story did you?

The point is that they didn't follow a procedure that was fair to their customer, but instead took it upon themselves to act in a manner beyond was is required of them by law to accommodate MySpace.

Don't try and spin the US Government's ineffectiveness in dealing with Tech into an excuse for this behavior.

This had nothing to do with criminal activity. It wasn't child porn, it wasn't identity theft (in the physical world), it was an _archive_ of a _mailing list_ that contained users names and passwords that was old.

There was no immediate danger to anyone and a more thorough handling of this would have avoided this PR nightmare.

[novelator]

You're way off base here

I don't want Congress trying to "police" the Net. Let's get established right now. I could give you a million reasons why, first and foremost being my rights and freedoms, both subjects Congress is wholly unfamiliar with, but that is not the point I wish to make.

You and other parents like you should not be so willing to shift your parental responsibilities to Congress or any other entity, government or not. YOU should know what your children are viewing or not viewing on the Net, just as YOU should know who their friends are and where your children are going. YOU and only YOU should be the one to ensure your children's safety, on the Net and elsewhere. I'm afraid YOU are just another example of the "send the kids anywhere but here" mentality that's the crux of the real problem.

I don't want Congress trying to solve my problems, nor do I expect this of them. I have a sister I haven't spoken to in twenty years because she would steal my identity in a heart beat and shove what little cash she could get from that venture up her nose.

The point I'm trying to make here is that above all else, YOU have to accept responsibility for your own life and that of your children's and act accordingly, whether that means not allowing others into said life. I don't want Congress screwing up any more of my rights and freedoms to accomodate your failure to do so.

[novelator]

You're way off base here

I don't want Congress trying to "police" the Net. Let's get established right now. I could give you a million reasons why, first and foremost being my rights and freedoms, both subjects Congress is wholly unfamiliar with, but that is not the point I wish to make.

You and other parents like you should not be so willing to shift your parental responsibilities to Congress or any other entity, government or not. You should know what your children are viewing or not viewing on the Net, just as YOU should know who their friends are and where your children are going. You and only you should be the one to ensure your children's safety, on the Net and elsewhere. I'm afraid you are just another example of the "send the kids anywhere but here" mentality that's the crux of the real problem.

I don't want Congress trying to solve my problems, nor do I expect this of them. I have a sister I haven't spoken to in twenty years because she would steal my identity in a heart beat and shove what little cash she could get from that venture up her nose.

The point I'm trying to make here is that above all else, you have to accept responsibility for your own life and that of your children's and act accordingly, whether that means not allowing others into said life. I don't want Congress screwing up any more of my rights and freedoms to accomodate your failure to do so.

[Ganymede28211]

OMG!

Interestingly enough.. I have to wonder about a real world example here....

Just YESTERDAY, my gf noticed that her best friends little sister had images on her myspace page... This little sister is 16 years old.. and the pictures consisted of nudity of herself.

I am wondering if GoDaddy would have pulled the likes of myspace after only 52 seconds of no response to a voicemail over this?

Instead, my girlfriend IMMEDIATELY contacted her best friend (the girls older sister) and told her what she saw on her profile, which in turn the friend contacted the mother and the whole profile was forced to be deleted by the mom.

BUT, had she contacted myspace, it would have been days to just get a reply from their support... as it usually is... in fact, some things I have never received reply about from myspace... Had she contacted their registrar, she probably would have been referred back to contacting myspace..

But GoDaddy... I'd like to see what would have happened...

Also, I noticed i didn't see whether or not they stated the usernames and passwords were valid. Anyone can make a list all they want and call it what they want... Verification prolly would not have hurt as something to stand behind.

In the case I speak of with the images.. The content was removed very timely... and no one lost their domain name...

On a personal opinion, I have never liked godaddy... I work in IT and have dealt with them several times and it seems their information has 'preyed' upon customers who just don't know any better and listen to what godaddy tells them.

And as for MySpace... I hear Tom died... (that's a joke.. only a billion false bulletins on myspace going around about things like that)

[PCCRomeo]

Well then you'll be looking for a long time

for a registrar who won't yank your site down so quickly your head
will spin. I personally like GoDaddy and am very happy with their
quality of service, but hey, I'm not doing anything illegal...

[Kelson]

Overkill

Let's see... one page out of 250,000 on a site turns out to have content that could compromise security at another site. So MySpace contacts the registrar, and gets the *entire site* shut down?

That's like using a hand grenade to swat a fly.

The logical way to go about this is as follows:

1. Contact the site maintainer and convince them them to take the page down.
2. If that fails, contact the hosting provider, and convince them to take the page down.

Myspace should not have even contacted GoDaddy until they took the first two steps. And once GoDaddy was contacted, they should have done more investigation. Even if they still decided to suspend the registration, they should have warned him, or at the very least told him *why* it was being suspended (beyond the vague reference to TOS abuse) and how he could resolve it.

Disabling the entire site with (apparently) minimal investigation is overreaction, plain and simple. I think the quote at the end, where they refused to rule out taking down an entire news site to block access to one story -- or even one comment -- is telling.

[ifoster]

where did they get the information

The real bit of news that I would like to see is where and how Seclists.org got the information.

[Kelson]

It's a mailing list archive.

Seclist.org includes archives of several security-related mailing lists. The link to the site owner's email announcement explains:

"Anyway, everyone has this latest password list now, and it was even posted (several times) to the thousands of members of the fulldisclosure mailing list more than a week ago. So it was archived by all the sites which archive full-disclosure, including SecLists.Org."

[ifoster]

where did they get the information

The real bit of news that I would like to see is where and how Seclists.org got the information.

[JoeF2]

It is all over the place

On pretty much all security lists, including a description on how the information was obtained (through an overlay on the browser window).
MySpace needs to get a clue. Security through obscurity doesn't work. They should focus on fixing their system instead of going after mailing list mirrors.

[System Tyrant]

GoDaddy is bad.

Well with the information that I have on the subject I going to say that MySpace and GoDaddy were both in the wrong on this one. Given the nature of the information I can certainly understand the desire to get it off the web, but it sounds to me like it's already all over the web.

I think the truth is that GoDaddy either didn't investigate the objectionable material or they did a **** poor job at investigating it. Frankly, it's my opinion, which isn't worth much, that GoDaddy screwed up and so did MySpace.

Lucky for me I use neither and after this I don't plan on using GoDaddy. Not that they care.

[Thomas, David]

GoDaddy did the right thing

As SOON as you find security breach information being posted
on a website, you should ALWAYS immediately remove it. Then
a persistent effort MUST be made to contact the owner of the
website. I am not sure how the last part of that played out. But
anyone complaining that GoDaddy bent over, is a complete idiot.

If YOUR user names, and passwords were posted on a website,
the last thing you want is a negotian to take place before that
confidential information could be picked up by even more
people.

What occurred with the security site, was NOT free speech. It's
called aiding and abetting. I hope most of you aren't so
completely devoid of rational thought would think that GoDaddy
was somehow wrong.

[solrosenberg]

Nope

No, if my usernames and passwords were posted on a site, the first thing I would do is CHANGE THEM. The second thing I would do if find out how they got on the site in the first place. Removing the site from the DNS is shutting the barn door after the horses are long gone.

If someone posts a list of usernames and passwords in this thread, should news.com be taken offline?

[kobe wild]

Dont use Godaddy

The point of the story is:
Godaddy has in the past set restriction on what you can do with "Your Site"
if its registered using godaddy.
That's the number one reason I would never use them to host my domain name.
It's one thing to take down your site if you were hosing your site web pages with them.
It's completely another if your just using them as the domain name register.
Who electing you as the web police, godaddy sucks.
Don't even think of registering a p2p site or a torrent tracker with them.
If they don't want to host the domain name fine but they have also in the past
refused to release a domain name back to the owner of that domain.
He wanted to move that name to a different provider after godaddy decided
to pull domain name from there dns.
Don't register your name with godaddy it?s cheap for a reason.