MySpace And GoDaddy Shut Down Huge Archive Of Security Mailing Lists

from the silly-companies dept

Thu, Jan 25th 2007 6:21pm — Mike Masnick

Rich Kulawiec writes in to point out that Seclists.org, a site that archives various security-related discussion email lists (and run by Fyodor, author of nmap, and generally well-known within the security realm) was yanked offline completely yesterday thanks to a bogus complaint from MySpace to the registrar/hosting company Fyodor used, GoDaddy. It seems that MySpace was freaking out that yet another big list of MySpace usernames and passwords had leaked (and spread all over the net). So, they went into damage control mode. A few copies of the MySpace list had been mailed to one of the security mailing lists archived as Seclists, and rather than simply asking that they be removed, MySpace went straight to the hosting company to get the entire domain turned off -- which GoDaddy did without question (or giving Fyodor a chance to appeal). In other words, they shut down a huge domain full of useful information that was used by a lot of people, over one complaint on some information that is widely available all over the internet. Fyodor also notes that these types of bogus requests to hosting companies and registrars are only increasingly lately. It seems like there may be an opportunity for a registrar hosting company to advertise that they don't wilt at the first sign of legal language, and at least give their customers a chance to respond.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Chris Maresca, 25 Jan 2007 @ 6:38pm

Seclists.org seems fine to me...
I don't have any trouble getting to the site....

Chris.
[ link to this | view in chronology ]
- Mike (profile), 25 Jan 2007 @ 10:27pm
  
  Re: Seclists.org seems fine to me...
  I don't have any trouble getting to the site....
  
  He moved it to a new host.
  [ link to this | view in chronology ]
Bryan Price, 25 Jan 2007 @ 7:48pm

That's another company
for me to not do business with. Not that I have.

27B Stroke 6 carries some good details.

GoDaddy got back to me. General counsel Christine Jones defends taking down SecLists.org, saying that Fyodor had close to an hour to respond to GoDaddy's voicemail and e-mail warnings yesterday, and didn't.

"We couldn't reach him, and because the content was hundreds and hundreds of MySpace user names and password, we went ahead and redirected the domain to remove that content," she says.

…

"For something that has safety implication like that, we take it really seriously," she says. "For spammers, we give people a little bit of time to respond to us."

…

Jones stands by the decision.

"Should registrars be involved in this? I'm not sure," she says. "We're the largest domain registrar in the world, and my view is, for $8.95 its not okay for somebody to come and use our services to harm other people."

-----

Update

Fyodor responds:

…

Fyodor also sent in his timeline of events, supported by copy of the voicemail (.wav) from GoDaddy telling him he was scheduled for suspension, and the e-mail message telling him he'd been suspended. The difference between the two appears to be one minute, not one hour.

I called back Jones, and she admits she doesn't know exactly how much notice he had.

"I think the fact that we gave him notice at all was pretty generous," she said.

That's absolutely sad and horrible. I will refuse to do any business with them.
[ link to this | view in chronology ]
Liam, 25 Jan 2007 @ 7:48pm

So can I
Either the dns is slow like a bitch, it's back up, or it never happened?
[ link to this | view in chronology ]
wiley, 25 Jan 2007 @ 7:53pm

dude
they posted usernames and passwords
if it was for bank america they would have been arrested
he needs to stop bitching
[ link to this | view in chronology ]
- Anonymous Coward, 25 Jan 2007 @ 8:52pm
  
  Re: dude
  like, i know right, my myspace login information is like, WAAAAY TOTALLY as important as like, my bank information. like, totally.
  [ link to this | view in chronology ]
- Paul, 26 Jan 2007 @ 12:43am
  
  Re: dude
  Sorry, I think you're missing the point: seclists.org didn't create the content, they just happened to have the site where it was posted.
  
  What should have happened is this: MySpace contact seclists.org, with a court order if they thought it necessary, to remove the content from the site. Then, if they wanted to sue/prosecute someone, they both work together to go after the people who made the post.
  
  Getting the *entire* site removed from the internet because somebody made a post is completely wrong both on the part of MySpace for contacting the host instead of the site, and on the part of GoDaddy for just blindly following the request instead of negotiating with their own customer.
  [ link to this | view in chronology ]
- araemo, 26 Jan 2007 @ 5:22am
  
  Re: dude
  Would have been arrested? Because someone emailed a list to a mailing list that he has no control over, and automatically archives? I don't think so, I think he's got the common carrier/safe harbor exception there.
  [ link to this | view in chronology ]
- FIREDOG, 26 Jan 2007 @ 11:55am
  
  Re: dude
  You need to understand that sites like this are not doing this to hurt the public... It is doing it to show you that there is a security problem with this company (MySpace) and that users need to be aware! MySpace should be thanking them for showing the security flaws so they can fix them...
  [ link to this | view in chronology ]
Anonymous Coward, 25 Jan 2007 @ 10:40pm

getting worse indeed
I work for a hosting company and we just had to hire a full-time tech/legal person dedicated to handling these kinds of complaints.

If MySpace's complaint was anything like what we get on a regular basis then it probably threatened to sue GoDaddy if they didn't take it down. Of course, I'm pretty sure there's lots of precedent that says we're not at fault but your typical support tech at any hosting company isn't going to have the legal expertise to figure out whether or not the complaint is completely bogus and so I imagine most are trained to just comply and wait for the customer to complain. If they don't complain then the site either wasn't important or they were in the wrong and they know it. At least that's what I imagine happens.

We laugh them off unless the complaint also violates our TOS. If they threaten legal action, we tell them to have their lawyer contact us. Most complaints just disappear with that one.
[ link to this | view in chronology ]
NoverNetSBandit, 26 Jan 2007 @ 12:19am

hosting
there used to be days when hosting companies didnt worry about petty shit... like days of the old credit card generators.. aol 3.0 days that were hosted thru such sites as geocities or 2600dotcom why do we all scare so easily now to threats... last i checked anyone can still post what they want to there own site. I hosting companies in the us have got to worried about who, what, when, where then they have to.
What happened to the days of old?
[ link to this | view in chronology ]
Michael Vilain, 26 Jan 2007 @ 2:20am

It's a good thing and a bad thing
GoDaddy is well known for being a chickenshit about any complaints. At $9/site, they aren't going to spend a lot of money in court or with lawyers dealing with any complaints, legal or otherwise. It's in their terms of service, plain and simple. For someone who uses them to host a critical domain, tuff titties. Should have gone with Network Solutions or some other registrar that doesn't care.

On the plus side, spammers choose GoDaddy a lot. When I report spam or phishing to them from sites they're the registar, they usually take it down. No court order needed, just a LART email.
[ link to this | view in chronology ]
Rich Kulawiec, 26 Jan 2007 @ 7:48am

Re: dude
You've missed multiple points here.

The URL of the entire username/password list was posted to a PUBLIC
mailing list with multiple PUBLIC archives, of which Fyodor's is only one

At that point, the game is over. There is no point in even thinking
about trying to suppress the information by any means. It's in the wild,
and no posturing, threatening, or anything else will undo that.

The only things that can be done are (a) to notify the affected users
(b) to change their passwords -- don't wait for them to do it --
(c) to figure out how this was done and take steps to avoid a repeat
(d) to alert all MySpace users, since nothing guarantees that the list
in question included *all* compromised accounts and (e) to publicly
apologize for the problem.

Shooting the messenger, as MySpace did with GoDaddy's collusion,
simpy reveals their own incompetence and lack of comprehension.
It's thus hardly surprising that this is not the only security issue
they have.

And now they have -- by their very ill-advised handling of
this incident, especially given Fyodor's well-deserved standing in
the community -- sent the message to all security researchers that
they are much better off NOT reporting or discussing any problems
with MySpace publicly.

This is an amazingly stupid move. They *might* be able to undo
the damage if they issued an unconditional public apology to Fyodor,
in which they admit that they were completely wrong, AND in which
they offer to pick up the tab for his expenses in moving. But I doubt
that will happen.

Pity. Perhaps one day, when they've reaped what they've
sown, they will learn.
[ link to this | view in chronology ]
Ben Butler, 26 Jan 2007 @ 4:10pm

GoDaddy Response
I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org. As we have said to our customers - Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action. In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time. In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour. In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is. An important issue I would ask you to consider is one that is a top priority for us at Go Daddy – child exploitation or even the potential for it. I don’t know of any parent who wouldn’t want their child’s username and password protected. Ben Butler Director of Network Abuse The Go Daddy Group, Inc Abuse@GoDaddy.com
[ link to this | view in chronology ]
Oh Well then!, 26 Jan 2007 @ 6:55pm

Oh, it's for the children!
Oh PLEASE,

The readers of Techdirt are a bit too sophisticated to fall in line for that tired old saw.
Aside from the fact that most of the "members" of MySpace are not children as such, the same information is still available on many other lists and archives.

The genie was out of the bottle, your cork was too late & useless for preventing the spread of the information.

The timing of your actions appears to be not what you have claimed, one minute is not one hour.

I am removing all of the (at least it's only 5) domains I have registered with you to another registrar that will actually call me & give me time to respond iff something like this happens on one of my systems.
[ link to this | view in chronology ]
Area66, 28 Jan 2007 @ 2:36pm

DNS/server
This just points out why we should run multiple DNS servers under our own control (you can do this).
And multi-homed servers (mirrors - this isn't a how to, so overlook the lack of detail) of our sites (you can do this also).
The level of redundancy (and number of distinct countries you operate in) is up to you. By doing this no one will ever take your site down.
Cost - yes.
Technical know how - a requirement.
Knowing the only way to take your voice down is to take down the entire net - priceless.
[ link to this | view in chronology ]
sean melendrez, 4 Feb 2007 @ 10:47pm

no
please dont shut off myspace
[ link to this | view in chronology ]
Anonymous Coward, 27 Apr 2007 @ 4:00pm

MySpace has been shown to be used by pedophiles to find their next victims.... By MySpace's logic they should take their own site down, just to protect the kids. Anyway, I am having serious thoughts about moving my 20-30 domain names to another registrar......
[ link to this | view in chronology ]
Bob North Smithfield, 4 Sep 2007 @ 5:33pm

My Space and "Security" On Not On The Same Page.
Just my opinion.
[ link to this | view in chronology ]
fodder99 (profile), 11 Jul 2012 @ 7:24am

Myspace hardly gets a mention in the press nowadays. Just as I imagine the same thing will happen to twitter in 5 or 6 years too.
[ link to this | view in chronology ]