MySpace And GoDaddy Shut Down Huge Archive Of Security Mailing Lists
from the silly-companies dept
Rich Kulawiec writes in to point out that Seclists.org, a site that archives various security-related discussion email lists (and run by Fyodor, author of nmap, and generally well-known within the security realm) was yanked offline completely yesterday thanks to a bogus complaint from MySpace to the registrar/hosting company Fyodor used, GoDaddy. It seems that MySpace was freaking out that yet another big list of MySpace usernames and passwords had leaked (and spread all over the net). So, they went into damage control mode. A few copies of the MySpace list had been mailed to one of the security mailing lists archived as Seclists, and rather than simply asking that they be removed, MySpace went straight to the hosting company to get the entire domain turned off — which GoDaddy did without question (or giving Fyodor a chance to appeal). In other words, they shut down a huge domain full of useful information that was used by a lot of people, over one complaint on some information that is widely available all over the internet. Fyodor also notes that these types of bogus requests to hosting companies and registrars are only increasingly lately. It seems like there may be an opportunity for a registrar hosting company to advertise that they don’t wilt at the first sign of legal language, and at least give their customers a chance to respond.
Comments on “MySpace And GoDaddy Shut Down Huge Archive Of Security Mailing Lists”
Seclists.org seems fine to me...
I don’t have any trouble getting to the site….
Chris.
Re: Seclists.org seems fine to me...
I don’t have any trouble getting to the site….
He moved it to a new host.
That's another company
for me to not do business with. Not that I have.
27B Stroke 6 carries some good details.
That’s absolutely sad and horrible. I will refuse to do any business with them.
So can I
Either the dns is slow like a bitch, it’s back up, or it never happened?
dude
they posted usernames and passwords
if it was for bank america they would have been arrested
he needs to stop bitching
Re: dude
like, i know right, my myspace login information is like, WAAAAY TOTALLY as important as like, my bank information. like, totally.
Re: dude
Sorry, I think you’re missing the point: seclists.org didn’t create the content, they just happened to have the site where it was posted.
What should have happened is this: MySpace contact seclists.org, with a court order if they thought it necessary, to remove the content from the site. Then, if they wanted to sue/prosecute someone, they both work together to go after the people who made the post.
Getting the *entire* site removed from the internet because somebody made a post is completely wrong both on the part of MySpace for contacting the host instead of the site, and on the part of GoDaddy for just blindly following the request instead of negotiating with their own customer.
Re: dude
Would have been arrested? Because someone emailed a list to a mailing list that he has no control over, and automatically archives? I don’t think so, I think he’s got the common carrier/safe harbor exception there.
Re: dude
You need to understand that sites like this are not doing this to hurt the public… It is doing it to show you that there is a security problem with this company (MySpace) and that users need to be aware! MySpace should be thanking them for showing the security flaws so they can fix them…
getting worse indeed
I work for a hosting company and we just had to hire a full-time tech/legal person dedicated to handling these kinds of complaints.
If MySpace’s complaint was anything like what we get on a regular basis then it probably threatened to sue GoDaddy if they didn’t take it down. Of course, I’m pretty sure there’s lots of precedent that says we’re not at fault but your typical support tech at any hosting company isn’t going to have the legal expertise to figure out whether or not the complaint is completely bogus and so I imagine most are trained to just comply and wait for the customer to complain. If they don’t complain then the site either wasn’t important or they were in the wrong and they know it. At least that’s what I imagine happens.
We laugh them off unless the complaint also violates our TOS. If they threaten legal action, we tell them to have their lawyer contact us. Most complaints just disappear with that one.
hosting
there used to be days when hosting companies didnt worry about petty shit… like days of the old credit card generators.. aol 3.0 days that were hosted thru such sites as geocities or 2600dotcom why do we all scare so easily now to threats… last i checked anyone can still post what they want to there own site. I hosting companies in the us have got to worried about who, what, when, where then they have to.
What happened to the days of old?
It's a good thing and a bad thing
GoDaddy is well known for being a chickenshit about any complaints. At $9/site, they aren’t going to spend a lot of money in court or with lawyers dealing with any complaints, legal or otherwise. It’s in their terms of service, plain and simple. For someone who uses them to host a critical domain, tuff titties. Should have gone with Network Solutions or some other registrar that doesn’t care.
On the plus side, spammers choose GoDaddy a lot. When I report spam or phishing to them from sites they’re the registar, they usually take it down. No court order needed, just a LART email.
dude
You’ve missed multiple points here.
The URL of the entire username/password list was posted to a PUBLIC
mailing list with multiple PUBLIC archives, of which Fyodor’s is only one
At that point, the game is over. There is no point in even thinking
about trying to suppress the information by any means. It’s in the wild,
and no posturing, threatening, or anything else will undo that.
The only things that can be done are (a) to notify the affected users
(b) to change their passwords — don’t wait for them to do it —
(c) to figure out how this was done and take steps to avoid a repeat
(d) to alert all MySpace users, since nothing guarantees that the list
in question included *all* compromised accounts and (e) to publicly
apologize for the problem.
Shooting the messenger, as MySpace did with GoDaddy’s collusion,
simpy reveals their own incompetence and lack of comprehension.
It’s thus hardly surprising that this is not the only security issue
they have.
And now they have — by their very ill-advised handling of
this incident, especially given Fyodor’s well-deserved standing in
the community — sent the message to all security researchers that
they are much better off NOT reporting or discussing any problems
with MySpace publicly.
This is an amazingly stupid move. They *might* be able to undo
the damage if they issued an unconditional public apology to Fyodor,
in which they admit that they were completely wrong, AND in which
they offer to pick up the tab for his expenses in moving. But I doubt
that will happen.
Pity. Perhaps one day, when they’ve reaped what they’ve
sown, they will learn.
GoDaddy Response
I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org.
As we have said to our customers – Go Daddy is committed to keeping the Internet a safe place. If there is material online that is jeopardizing Internet safety, we will take necessary action.
In this case, Go Daddy attempted to contact the customer with regard to a large list of MySpace user names and passwords which appeared on his Web site. The registrant was not available at the time.
In order to protect users of MySpace from the risk of having private data revealed, we removed the site until we could make contact with our customer. Once we were able to discuss the issue with the registrant, he assured us he would remove the offending material and we re-enabled his site while he was on the phone. The site was back up within one hour.
In each case like this, my department follows a set of operating procedures evaluating whether to remove hosting content or to redirect domain names. The decision is carefully made on a case-by-case basis. Most times, the site is left as is.
An important issue I would ask you to consider is one that is a top priority for us at Go Daddy – child exploitation or even the potential for it.
I don’t know of any parent who wouldn’t want their child’s username and password protected.
Ben Butler
Director of Network Abuse
The Go Daddy Group, Inc
Abuse@GoDaddy.com
Oh, it's for the children!
Oh PLEASE,
The readers of Techdirt are a bit too sophisticated to fall in line for that tired old saw.
Aside from the fact that most of the “members” of MySpace are not children as such, the same information is still available on many other lists and archives.
The genie was out of the bottle, your cork was too late & useless for preventing the spread of the information.
The timing of your actions appears to be not what you have claimed, one minute is not one hour.
I am removing all of the (at least it’s only 5) domains I have registered with you to another registrar that will actually call me & give me time to respond iff something like this happens on one of my systems.
DNS/server
This just points out why we should run multiple DNS servers under our own control (you can do this).
And multi-homed servers (mirrors – this isn’t a how to, so overlook the lack of detail) of our sites (you can do this also).
The level of redundancy (and number of distinct countries you operate in) is up to you. By doing this no one will ever take your site down.
Cost – yes.
Technical know how – a requirement.
Knowing the only way to take your voice down is to take down the entire net – priceless.
no
please dont shut off myspace
MySpace has been shown to be used by pedophiles to find their next victims…. By MySpace’s logic they should take their own site down, just to protect the kids. Anyway, I am having serious thoughts about moving my 20-30 domain names to another registrar……
My Space and "Security" On Not On The Same Page.
Just my opinion.
Myspace hardly gets a mention in the press nowadays. Just as I imagine the same thing will happen to twitter in 5 or 6 years too.