dslreports logo
 story category
GoDaddy Takes SecLists.Org Offline
For hosting broadly archived MySpace password list
The SecLists.Org security mailing list was taken offline for much of yesterday. The reason? A list of scammed Myspace passwords was posted to the full disclosure mailing list, and the list was automatically archived by all the sites that archive full disclosure. MySpace noticed the archived list on SecLists, and instead of asking them to take it offline, they had GoDaddy yank their domain entirely. GoDaddy defends the move by stating they gave the list operator an hour to respond to GoDaddy's voicemail and e-mail warnings. "Needless to say, I'm in the market for a new registrar," says SecLists.Org's "Fyodor."
view:
topics flat nest 

Robert
Premium Member
join:2001-08-25
Miami, FL

Robert

Premium Member

Question of Authority..

Should GoDaddy have the power to yank domain names offline? IMO it should be the sole discretion of ICANN.
Jonbo298
join:2004-01-12
Council Bluffs, IA

1 recommendation

Jonbo298

Member

Re: Question of Authority..

If it means the security of hundreds/thousands/millions of account names/password, etc...then yes, they have a right IMO.

If a big site like Google or Amazon all of a sudden posted a ton of credit card info or any kind of personal info, I'd rather have it yanked immediately in terms of taking site down temporarily until it was removed. Protecting people's security is much more important then a website losing some business.

If a site was up for days with people's personal info, alot would be ticked that the site or another site like godaddy for example didn't pull it to stop the breach of security.

Robert
Premium Member
join:2001-08-25
Miami, FL

Robert

Premium Member

Re: Question of Authority..

said by Jonbo298:

If it means the security of hundreds/thousands/millions of account names/password, etc...then yes, they have a right IMO.

If a big site like Google or Amazon all of a sudden posted a ton of credit card info or any kind of personal info, I'd rather have it yanked immediately in terms of taking site down temporarily until it was removed. Protecting people's security is much more important then a website losing some business.

If a site was up for days with people's personal info, alot would be ticked that the site or another site like godaddy for example didn't pull it to stop the breach of security.
This situation makes me think of the Spamhaus / e360insight case were the Judge awarded e360insight 11.7 Million dollars for Spamhaus's failure to appear in a U.S. Court (they aren't based in the U.S.). What if other "e360insight" come around and manage to get registrars to start yanking domain names.. it should be up to ICANN.
Jonbo298
join:2004-01-12
Council Bluffs, IA

Jonbo298

Member

Re: Question of Authority..

Yes but how long would it take for ICANN to temporarily yank it. I'd imagine a little longer because of having to get a 3rd comapny involved. I could be wrong but just wary when things involve waiting on another company to take action.

Robert
Premium Member
join:2001-08-25
Miami, FL

Robert

Premium Member

Re: Question of Authority..

said by Jonbo298:

Yes but how long would it take for ICANN to temporarily yank it. I'd imagine a little longer because of having to get a 3rd comapny involved. I could be wrong but just wary when things involve waiting on another company to take action.
Who is the 3rd company involved? Myspace should have done directly to ICANN, presented their case, and ICANN would have yanked it. GoDaddy is under the regulation of ICANN.
meta
join:2004-12-27
00000

meta

Member

Re: Question of Authority..

Godaddy has pulled similar schenanigans in the past, by killing the domain hosting the NAMESERVER a spammers domain was pointed at. Godaddy have serious ethical issues to address here, and should not be meddling in the domain name system if they are unwilling to do so in a fair and proper manner. Their current MO is simply yanking whatever they dont like for whatever reason and sending a groundless bill to the owners holding their domains hostage until they pay up so they will be permitted to transfer their domains elsewhere. This is not behavior i tolerate from a registrar, and suggest any godaddy customers to research what the company has been up to. They may be cheap, but they certainly arent to be trusted.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5 to Jonbo298

Premium Member

to Jonbo298
said by Jonbo298:

If it means the security of hundreds/thousands/millions of account names/password, etc...then yes, they have a right IMO.

If a big site like Google or Amazon all of a sudden posted a ton of credit card info or any kind of personal info, I'd rather have it yanked immediately in terms of taking site down temporarily until it was removed. Protecting people's security is much more important then a website losing some business.

If a site was up for days with people's personal info, alot would be ticked that the site or another site like godaddy for example didn't pull it to stop the breach of security.
I agree. This site's owner, like some others, defends the posting of illegally obtained userids & passwords as a necessary aid in improving security. They sound just like the scum hackers that frequent their sites.
meta
join:2004-12-27
00000

meta

Member

Re: Question of Authority..

Please cite the law which was violated.
jsouth
Jsouth
join:2000-12-12
Wichita, KS

1 recommendation

jsouth

Member

Re: Question of Authority..

Ever heard of identity theft? How about facilitating identity theft?
meta
join:2004-12-27
00000

meta

Member

Re: Question of Authority..

A username and password are not identity theft. try harder next time.
jsouth
Jsouth
join:2000-12-12
Wichita, KS

jsouth

Member

Re: Question of Authority..

So you wouldn't have a problem with giving me your bank account username and password? Or how about a username and password to a shopping site that stores your credit card info? Some users on myspace do use the same passwords and user names on other sites or even have personal info in their profiles. Using that info is most certainly identity theft. No matter how you try and spin that it's not.

Nightshade
Premium Member
join:2002-05-26
Salem, OR

Nightshade

Premium Member

Re: Question of Authority..

First off anyone who uses the same passwords on different sites, or even worst yet post their personal info on unsecured myspace, or any profiles for that matter, are fools.

There is no excuse whatsoever, other than the poor excuse of ignorance and denial, to use random password generator programs such as RoboForm (The one I use) to generate random passwords on different websites that have ANY of your personal information.

You can not be too careful when securing private information on the internet. Ignorance and denial will make you a target.
meta
join:2004-12-27
00000

meta

Member

Re: Question of Authority..

Myspace is not a banking system, it has no direct tie to anything financial or personal. I can not get your social security number from it. Stealing a myspace password is not identity theft.
jsouth
Jsouth
join:2000-12-12
Wichita, KS

jsouth

Member

Re: Question of Authority..

Yeah. Keep believing that.

ROCINANTE
Original Member 007
Premium Member
join:1999-06-29
Hartsdale, NY

ROCINANTE to meta

Premium Member

to meta
Invasion of privacy tort:

You cannot knowingly publish private data of private individuals, especially when a reasonable person expects the data to remain secure. This overrides the First Amendment. Case closed.
ross7
join:2000-08-16

ross7

Member

Re: Question of Authority..

said by ROCINANTE:

Invasion of privacy tort:

You cannot knowingly publish private data of private individuals, especially when a reasonable person expects the data to remain secure. This overrides the First Amendment. Case closed.
Bullshit, plain and simple.

ROCINANTE
Original Member 007
Premium Member
join:1999-06-29
Hartsdale, NY

1 edit

ROCINANTE

Premium Member

Re: Question of Authority..

It's the law; go look it up. Anyone who has majored in business has taken at least two law classes and would know this.

PhoenixDown
FIOS is Awesome
Premium Member
join:2003-06-08
Fresh Meadows, NY

PhoenixDown to Jonbo298

Premium Member

to Jonbo298
The problem is that these companies are not properly securing the information in the first place... the info has already been compromised and this is more a damage control PR ploy than anything.

pipdipchip
8 Megabits A Second
Premium Member
join:2003-12-04
Hanover, MN

pipdipchip to Jonbo298

Premium Member

to Jonbo298
said by Jonbo298:

If it means the security of hundreds/thousands/millions of account names/password, etc...then yes, they have a right IMO.
We are talking about MySpace passwords. Not bank account passwords or something. Not really a huge deal.

In a perfect should GoDaddy have the right? Maybe. But the fact of the matter is, the domain owner has a right to explain his side of the story. Is posting MySpace passwords illegal? It would be a hard case. If he didn't break the law, what did they do wrong to have their domain taken?

In my opinion, taking a domain (which is property), should be the last last possible option and should be court ordered.

elios
join:2005-11-15
Springfield, MO

elios

Member

Re: Question of Authority..

yes and think of the intelligence of the people that USE myspace
since it uses your e-mail as your logon i bet thay use the same pass for every thing its not a far leap to try it

some myspace logons and passes got out on 4chans /b/(random) board a bit back and some people on there did some realy not nice stuff like getting in to these peoples e-mail accounts then sending out suicide notes to every one in there address books
meta
join:2004-12-27
00000

meta

Member

Re: Question of Authority..

SHHH! The first rule of /b/ is YOU DO NOT TALK ABOUT /b/!

sporkme
drop the crantini and move it, sister
MVM
join:2000-07-01
Morristown, NJ

sporkme to elios

MVM

to elios
said by elios:

some myspace logons and passes got out on 4chans /b/(random) board a bit back and some people on there did some realy not nice stuff like getting in to these peoples e-mail accounts then sending out suicide notes to every one in there address books
That's so mean. Imagine the disappointment felt by the rest of the world when they discovered that MySpace users were not committing mass suicide.
MASantangelo
Premium Member
join:2004-07-19
Pittstown, NJ

MASantangelo to elios

Premium Member

to elios
If you're using your bank password as your myspace account password then you probably deserve to get your funds stolen. It's the only way some people will learn.

riturno
join:2004-04-20
Dallas, TX

riturno to Jonbo298

Member

to Jonbo298
Perhaps many of the commenters here should read the linked articles. The site that was taken down was a mailing list archive.

The owner of the site would have removed the information, but was not really given any notice before the take down.

Worse is that the list had been available on the web for over nine days before MySpace went after this one archive of the list. The list can still be found with Google.

Taking down this one copy of the list did nothing to help security for MySpace users or even make a dent in availability of the information.

RadioDoc

join:2000-05-11
La Grange, IL

RadioDoc

Re: Security Theater

said by riturno:

The list can still be found with Google.
Indeed. And who here will petition to have 'google.com' revoked because of it?

Anyone?

GoDaddy is out of control.

DaneJasper
Sonic.Net
Premium Member
join:2001-08-20
Santa Rosa, CA

DaneJasper to Jonbo298

Premium Member

to Jonbo298
That's silly - Myspace could have just locked all of the accounts down and required users to select new passwords via an email process. Or, just deleted all the accounts of the people who were silly enough to have their password captured.

-Dane

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 recommendation

nwrickert to Robert

Mod

to Robert
Go Daddy clearly made a mistake in this case.

It would be an even worse mistake to not allow registrars to yank domains. Such a restriction would be of great benefit to phishers and scammers. We need phishing and scamming domains to be yanked as soon as possible.
meta
join:2004-12-27
00000

meta

Member

Re: Question of Authority..

The current system of yanking is obviously ineffective as there is no drop in spammers or scammers. Before you praise it, consider how successful it really is.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

Re: Question of Authority..

The current system of yanking is obviously ineffective as there is no drop in spammers or scammers. Before you praise it, consider how successful it really is.
That's like saying that having a fire department is ineffective, since there is no drop in fires.

The proper question is whether the number of victims is reduced.
meta
join:2004-12-27
00000

meta

Member

Re: Question of Authority..

arbitrary yanking with no due process or common sense is tantamount to having the fire department called when a person plugs in a space heater unsafely. It is an inappropriate response by an organization that should know better. There are many cases of such a reaction by godaddy and they should not be trusted with the power to do so at will.
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner to Robert

Premium Member

to Robert
Fuck that. That's like saying that GoDaddy needs reasonable intent to then ask ICANN if it's okay to kick them offline.

If you're an asshole enough to post something like that, you should be fine with getting the rug pulled from under your feet.

Dennis
Mod
join:2001-01-26
Algonquin, IL

Dennis

Mod

DNS doesn't take down a site...idiots

What a horrible way to think your putting a genie back in a bottle.

Aside from using IP's...who long did it take to propagate across the rest of the worlds DNS servers?

This obviously was myspace shopping around for a sympathetic ear because nobody in their right mind would consider this efficient or effective.

Oh and heaven forbid they do anything about the accounts...i'm having AOL deja vu.

kapil
The Kapil
join:2000-04-26
Chicago, IL

kapil

Member

Re: DNS doesn't take down a site...idiots

Remember who MySpace is owned by...these people have very little face time with reality.

RadioDoc

join:2000-05-11
La Grange, IL

RadioDoc

Re: DNS doesn't take down a site...idiots

Yes, what a very FOXy thing to do...
gatzdon
join:2002-10-25
Lake Zurich, IL

gatzdon

Member

?

I'm surprised they haven't knocked YouTube offline yet for the Paula Abdul video.
bigjimc
join:2003-04-21
Middleboro, MA

bigjimc

Member

Horray for B-lls

Well Bob Parsons is not one to sit back and go with the flow.

I applaud GoDaddy for taking down the domain name. Federal law would probably protect him. ICAAN will back him.

Even if it was a breach of contract. Good going GoDaddy.

••••

jjoshua
Premium Member
join:2001-06-01
Scotch Plains, NJ

jjoshua

Premium Member

Registrar's responsibilities

The registrar should not be the judge, jury, and executioner.

Let the lawyers sort this one out.

pokesph
It Is Almost Fast
Premium Member
join:2001-06-25
Sacramento, CA

pokesph

Premium Member

RE: GoDaddy Takes SecLists.Org Offline

As a small time domain registrar myself, I'm not sure I would have taken down the domain.. we do follow ICANN rules but I don't think they extend to "at your discretion" removals. In my 4 yrs of selling domains, I think I've removed one domain (it was a phishing site, IIRC) based on them using MY cloaking service (points to my generic addresses..) thus violating our TOS.

In any case, Myspace should have used the legal process or contacted SecLists.Org directly for immediate action.

P.S. NoDaddy (GoDaddy) is a terrible domain name reg.. also very hard to work with from a peer perspective..

••••••••

TechyDad
Premium Member
join:2001-07-13
USA

TechyDad

Premium Member

An hour to respond? Not even that.

It looks like they didn't even give him an hour. It looks like they gave him one minute. (See the end of »blog.wired.com/27bstroke ··· nds.html .) Yes, in less than the time it would have taken him to go to the bathroom, GoDaddy decided that he was being unresponsive and shut his domain down. GoDaddy's representative even admitted that she doesn't know how much notice he had, but:
"I think the fact that we gave him notice at all was pretty generous," she said.
GoDaddy really messed up this one up.

Anonymous88
Premium Member
join:2004-06-01
IA

Anonymous88

Premium Member

Google?

I liked his comment about google.

search for "myspace1.txt.bz2"

I already have the .txt file.

•••