[Politech] MySpace, GoDaddy pull plug on computer security domain name without warning [fs]

From: Declan McCullagh (declan@private)
Date: Fri Jan 26 2007 - 01:07:10 PST


Usually if someone has a problem with a page on a Web site, the Web site 
owner or hosting provider is contacted. YouTube gets nastygrams over 
Saturday Night Live copyright violations. Barney's lawyers send 
nastygrams to Baltimore sysadmins who post photos of plush toys in 
unflattering poses.

And so on. This is the normal order of the universe, and it could be a 
whole lot worse. (The DMCA's notice-and-take-down section could be 
tilted heavily in favor of content owners, for instance.)

This week we caught a glimpse into what a whole lot worse might look 
like. MySpace was upset because a list of some 45,000+ user names and 
passwords were floating around online (I'm guessing because of shoddy 
security practices at MySpace, but I don't know for sure). They were 
posted to a mailing list that's archived at seclists.org, which is a 
kind of list repository. Politech is featured there, for instance:
http://seclists.org/politech/2007/Jan/index.html

Instead of contacting Seclists.org owner Fyodor Vaskovich, MySpace went 
directly to his *domain name registrar*, which is GoDaddy. GoDaddy 
yanked his site by, as far as I can tell, pushing an immediate update to 
the .org registry to make his domain name invisible. It appears as 
though GoDaddy gave Fyodor just 52 seconds of notice:
http://seclists.org/nmap-hackers/2007/0000.html

GoDaddy's general counsel Christine Jones defended the deletion when I 
talked to her today, saying it's good corporate citizenship. See:

http://news.com.com/2100-1025_3-6153607.html
 >When asked if GoDaddy would remove the registration for a news site 
like CNET News.com, if a reader posted illegal information in a 
discussion forum and editors could not be immediately reached over a 
holiday, Jones replied: "I don't know...It's a case-by-case basis."

She was even more blunt in an interview with Kevin Poulsen at Wired 
News, saying 52 seconds of notice in a voicemail was "pretty generous":
http://blog.wired.com/27bstroke6/2007/01/godaddy_defends.html
"I think the fact that we gave him notice at all was pretty generous," 
she said.

Fyodor has given me permission to post some of the correspondence here 
(note how long it took him to get an answer about why his domain was 
zapped):
http://politechbot.com/docs/fyodor.godaddy.myspace.seclists-1.012507.txt
http://politechbot.com/docs/fyodor.godaddy.myspace.seclists-2.012507.txt

-Declan
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)



This archive was generated by hypermail 2.1.3 : Fri Jan 26 2007 - 01:27:42 PST