By Steve Ragan Jan 31, 2007, 18:26 GMT
If you follow the IT Security world or you are in the IT Security field, you know of SecLists.org. SecLists.org is a popular archive of several mailing lists dealing with IT Security and IT Development projects, including the popular nmap program. There was a post a few weeks ago about MySpace, and it included a very interesting attachment. The attachment was a zipped text file containing around 56,000 usernames and passwords from users on the popular social networking website.
Monsters and Critics reported on this release, and in the report they mentioned that most thought that the release of such information was, at best, irresponsible. The post with the list of usernames and passwords was naturally archived on SecLists.org. That is what SecLists.org does: it archives these lists and provides a place where the history of these posts can be researched.
In comes MySpace, in a scramble to warn the affected users and in an effort to save face. The information leak was half MySpace’s fault because they allow simple login methods. It was also half the fault of criminals posing as security researchers, because they created fake login portals and redirected users to them. Knowing this, MySpace could have asked SecLists.org to remove the archive post or attachment. They could have sent an email or warning to SecLists.org requesting removal and threatening action. Instead, they chose to use the weight and influence their name carries by opting to go to the registrar of the domain, GoDaddy, and ask them to remove the problematic post.
When that happened, many of the mailing lists cried foul. Fyodor Vaskovich, owner of the SecLists.org domain, said in a recent post to the nmap-hackers list, “I woke up yesterday morning to find a voice message from my domain registrar (GoDaddy) saying they were suspending the domain SecLists.org. One minute later, I received an email saying that SecLists.org has "been suspended for violation of the GoDaddy.com Abuse Policy.” One voicemail and one email. That was all GoDaddy sent. “Neither the email nor voicemail gave a phone number to reach them at, nor did they feel it was worth the effort to explain what the supposed violation was. They changed my domain nameserver to ‘NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM,’” Vaskovich said.
GoDaddy general counsel Christine Jones defended the abrupt deletion, saying in a statement to CNET: "We tried to contact the registrant, but they were not available at the time. To protect the MySpace users from potentially having private information revealed, we removed the site." GoDaddy was able to remove the domain and block it because of wording in their Terms of Service, which state that GoDaddy has the right to block access to, or remove the right to access, any of their services at any time with or without notice.
The issue is now one that should scare many in the IT world. Research often means that potentially damaging information is made public. This information often comes weeks or months after the research found flaws, but when reporting it or posting it to the public, webmasters now have to worry about censorship and removal of their right to free speech online. Another fact that was confirmed is that GoDaddy did very little research or fact-finding. They simply took the word of MySpace, used the very broad and very general wording of their terms of service, and disabled the domain.
GoDaddy is a popular domain registrar, credited with being the number one registrar in the world. This is the first reported case of their just bending over backwards and removing an account without a court order. Vaskovich made this point clear in his list post: “GoDaddy cowardly and lazily decided to simply shut down the site rather than actually investigating or giving me a chance to contest or comply with the complaint. Needless to say, I'm in the market for a new registrar. One who doesn't immediately bend over for any large corporation who asks. One who considers it their job just to refer people to the SecLists.Org nameserver at 205.217.153.50, not to police the content of the services hosted at the domains. The GoDaddy ToS forbids hosting what they call ‘morally objectionable activities.’”
MySpace did not issue statements or comments about this report. It is not known what, if any, help was given to the users listed in the mailing list post that started all of this. What is known is that GoDaddy stands behind their actions and that they, along with MySpace, are facing serious public relations issues. Many users are seeking to remove accounts held by GoDaddy over this recent development. Will GoDaddy lose customers? Maybe or maybe not, but it is certain that Vaskovich will be leaving soon.
Will this start a new trend of registrars taking action and removing material on a whim? What of the ISP who hosts the material some might not agree with? Currently many ISP’s need to receive a volume of complaints before taking action, and even then they do research and investigations into those complaints. Simply put, they do not take action unless it is warranted, and archiving mailing list posts, in the eyes of many, simply does not warrant removal. It should be noted that MySpace did not attempt to remove or censor the websites and list archives of the collective groups where this information was originally posted. They went after SecLists.org alone. At the time of this story, SecLists.org was again up and running. What happened to the post containing the list causing the domain’s removal?
“Most of the censorship attempts are for the full-disclosure list. It would be easiest just to cease archiving that list, but I do think it serves an important purpose in keeping the industry honest. And many good postings do make it through if you can filter out all the junk. So I'm keeping it, no matter how "morally objectionable" GoDaddy and MySpace may think it to be!” – Fyodor Vaskovich
Your Talkback on this Story