[ISN] GoDaddy pulls security site after MySpace complaints

From: InfoSec News (alerts@private)
Date: Thu Jan 25 2007 - 22:31:05 PST


By Declan McCullagh
Staff Writer, CNET News.com
January 25, 2007

update - A popular computer security Web site was abruptly yanked 
offline this week by MySpace.com and GoDaddy, the world's largest domain 
name registrar, raising questions about free speech and Internet 

MySpace demanded that GoDaddy pull the plug on Seclists.org, which hosts 
some 250,000 pages of mailing list archives and other resources, because 
a list of thousands of MySpace usernames and passwords was archived on 
the site. GoDaddy claims its customers own about 18 million domains.

GoDaddy complied. In a move that Seclists.org owner Fyodor Vaskovich 
said happened with no prior notice, the company deleted his domain 
name--causing his site to be effectively unreachable for about seven 
hours on Wednesday until he found out what was happening and removed the 
password list.

"They didn't tell me why they removed the site," Vaskovich, creator of 
the popular Nmap security auditing utility, said in a phone interview. 
"At a very minimum, we should get warning."

Vaskovich said he spent "hours and hours" on the phone with GoDaddy on 
Wednesday before he finally got through to someone who was willing to 
listen. As a result of this experience, he said in an e-mail 
announcement [1], "I'm in the market for a new registrar. One who 
doesn't immediately bend over for any large corporation who asks."

For her part, GoDaddy general counsel Christine Jones defended the 
abrupt deletion, saying: "We tried to contact the registrant, but they 
were not available at the time. To protect the MySpace users from 
potentially having private information revealed, we removed the site."

Jones pointed out that GoDaddy's terms of service say the company 
"reserves the right to terminate your access to the services at any 
time, without notice, for any reason whatsoever."

Jones and Vaskovich, however, tell substantially different versions of 
exactly what happened. Jones characterized the episode as lasting only 
about an hour, saying her abuse department unsuccessfully "tried to 
contact" Vaskovich and "he actually contacted us about an hour" later 
after the removal occurred.

But Vaskovich provided CNET News.com with a log of correspondence from 
GoDaddy that corroborates his version of the story. It indicated that 
only 52 seconds elapsed from an initial voice mail notification to the 
time the domain was marked as "suspended." GoDaddy did not immediately 
respond to follow-up questions.

Vaskovich says MySpace did not contact him directly. MySpace declined to 
respond to repeated inquiries on Thursday.

Michael Froomkin, a law professor at the University of Miami who has 
written about domain name regulation, says this is the first time he's 
heard of a registrar abruptly taking a customer offline without a court 

"Some people might feel safer with a registrar that's a little more 
pro-customer," Froomkin said.

Froomkin said this week's incident raises novel free speech 
questions--not legal ones, as long as GoDaddy's terms of service are 
broad enough. Rather, he said, the issue is "the quality of their 
review" of complaints received from firms like MySpace.

GoDaddy's Jones said that "we're not knee-jerk--we try to be responsible 
about verifying complaints." There's a broad spectrum of policies among 
domain name registrars, she acknowledged, with GoDaddy "probably the 
most aggressive."

But, Jones said, GoDaddy has a 24-hour abuse department that deletes 
domain names used for spam or child pornography on a daily basis. "We're 
not here to allow people to put illegal content on the Internet," she 
said. "We take this safety and the security of the Internet very 
seriously...We take our responsibility pretty seriously. We're the 
largest registrar in the world."

When asked if GoDaddy would remove the registration for a news site like 
CNET News.com, if a reader posted illegal information in a discussion 
forum and editors could not be immediately reached over a holiday, Jones 
replied: "I don't know...It's a case-by-case basis."

[1] http://seclists.org/nmap-hackers/2007/0000.html

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Jan 25 2007 - 22:59:10 PST