MySpace And GoDaddy Shut Down Huge Archive Of Security Mailing Lists
from the silly-companies dept
Rich Kulawiec writes in to point out that Seclists.org, a site that archives various security-related discussion email lists (and run by Fyodor, author of nmap, and generally well-known within the security realm) was yanked offline completely yesterday thanks to a bogus complaint from MySpace to the registrar/hosting company Fyodor used, GoDaddy. It seems that MySpace was freaking out that yet another big list of MySpace usernames and passwords had leaked (and spread all over the net). So, they went into damage control mode. A few copies of the MySpace list had been mailed to one of the security mailing lists archived as Seclists, and rather than simply asking that they be removed, MySpace went straight to the hosting company to get the entire domain turned off -- which GoDaddy did without question (or giving Fyodor a chance to appeal). In other words, they shut down a huge domain full of useful information that was used by a lot of people, over one complaint on some information that is widely available all over the internet. Fyodor also notes that these types of bogus requests to hosting companies and registrars are only increasingly lately. It seems like there may be an opportunity for a registrar hosting company to advertise that they don't wilt at the first sign of legal language, and at least give their customers a chance to respond.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Seclists.org seems fine to me...
Chris.
[ link to this | view in thread ]
That's another company
27B Stroke 6 carries some good details.
That's absolutely sad and horrible. I will refuse to do any business with them.
[ link to this | view in thread ]
So can I
[ link to this | view in thread ]
dude
if it was for bank america they would have been arrested
he needs to stop bitching
[ link to this | view in thread ]
Re: dude
[ link to this | view in thread ]
Re: Seclists.org seems fine to me...
He moved it to a new host.
[ link to this | view in thread ]
getting worse indeed
If MySpace's complaint was anything like what we get on a regular basis then it probably threatened to sue GoDaddy if they didn't take it down. Of course, I'm pretty sure there's lots of precedent that says we're not at fault but your typical support tech at any hosting company isn't going to have the legal expertise to figure out whether or not the complaint is completely bogus and so I imagine most are trained to just comply and wait for the customer to complain. If they don't complain then the site either wasn't important or they were in the wrong and they know it. At least that's what I imagine happens.
We laugh them off unless the complaint also violates our TOS. If they threaten legal action, we tell them to have their lawyer contact us. Most complaints just disappear with that one.
[ link to this | view in thread ]
hosting
What happened to the days of old?
[ link to this | view in thread ]
Re: dude
What should have happened is this: MySpace contact seclists.org, with a court order if they thought it necessary, to remove the content from the site. Then, if they wanted to sue/prosecute someone, they both work together to go after the people who made the post.
Getting the *entire* site removed from the internet because somebody made a post is completely wrong both on the part of MySpace for contacting the host instead of the site, and on the part of GoDaddy for just blindly following the request instead of negotiating with their own customer.
[ link to this | view in thread ]
It's a good thing and a bad thing
On the plus side, spammers choose GoDaddy a lot. When I report spam or phishing to them from sites they're the registar, they usually take it down. No court order needed, just a LART email.
[ link to this | view in thread ]
Re: dude
[ link to this | view in thread ]
Re: dude
The URL of the entire username/password list was posted to a PUBLIC
mailing list with multiple PUBLIC archives, of which Fyodor's is only one
At that point, the game is over. There is no point in even thinking
about trying to suppress the information by any means. It's in the wild,
and no posturing, threatening, or anything else will undo that.
The only things that can be done are (a) to notify the affected users
(b) to change their passwords -- don't wait for them to do it --
(c) to figure out how this was done and take steps to avoid a repeat
(d) to alert all MySpace users, since nothing guarantees that the list
in question included *all* compromised accounts and (e) to publicly
apologize for the problem.
Shooting the messenger, as MySpace did with GoDaddy's collusion,
simpy reveals their own incompetence and lack of comprehension.
It's thus hardly surprising that this is not the only security issue
they have.
And now they have -- by their very ill-advised handling of
this incident, especially given Fyodor's well-deserved standing in
the community -- sent the message to all security researchers that
they are much better off NOT reporting or discussing any problems
with MySpace publicly.
This is an amazingly stupid move. They *might* be able to undo
the damage if they issued an unconditional public apology to Fyodor,
in which they admit that they were completely wrong, AND in which
they offer to pick up the tab for his expenses in moving. But I doubt
that will happen.
Pity. Perhaps one day, when they've reaped what they've
sown, they will learn.
[ link to this | view in thread ]
Re: dude
[ link to this | view in thread ]
GoDaddy Response
[ link to this | view in thread ]
Oh, it's for the children!
The readers of Techdirt are a bit too sophisticated to fall in line for that tired old saw.
Aside from the fact that most of the "members" of MySpace are not children as such, the same information is still available on many other lists and archives.
The genie was out of the bottle, your cork was too late & useless for preventing the spread of the information.
The timing of your actions appears to be not what you have claimed, one minute is not one hour.
I am removing all of the (at least it's only 5) domains I have registered with you to another registrar that will actually call me & give me time to respond iff something like this happens on one of my systems.
[ link to this | view in thread ]
DNS/server
And multi-homed servers (mirrors - this isn't a how to, so overlook the lack of detail) of our sites (you can do this also).
The level of redundancy (and number of distinct countries you operate in) is up to you. By doing this no one will ever take your site down.
Cost - yes.
Technical know how - a requirement.
Knowing the only way to take your voice down is to take down the entire net - priceless.
[ link to this | view in thread ]
no
[ link to this | view in thread ]
[ link to this | view in thread ]
My Space and "Security" On Not On The Same Page.
[ link to this | view in thread ]
[ link to this | view in thread ]