TECHSPLOITATION On the morning of Jan. 24, Fyodor Vaskovich awoke to discover that his Web site, SecLists.org, had been transformed into a giant error message. The message said his domain couldn’t be resolved. This troubled him greatly: SecLists is an archive of several computer securityrelated mailing lists that contains more than 50,000 pages of technical information. It has thousands of visitors per day and nets Vaskovich a fair amount of income from Google ads. Where had the site gone? He checked with the registrar that sold him his site, GoDaddy, and discovered the megacorporation had changed the site’s name servers addresses that tell your browser how to find the place where a Web site is hosted. Instead of his Web host’s name servers, he found this name server: ns1.suspended-for.spam-and-abuse.com
What the hell? Vaskovich checked his answering machine and found a message from somebody in the abuse department at GoDaddy telling him they were going to pull the plug on his domain. Based on his logs, it appeared that his name servers had been changed less than a minute after the call was made. Essentially, he’d been given a few seconds’ notice before a major Internet resource (and source of revenue) was shut down.
For the rest of the day Vaskovich was on the phone with GoDaddy trying to untangle what had happened. Luckily, he kept careful records. These records corroborated his story that he’d been given less than a minute’s notice and that GoDaddy repeatedly refused to give him customer service for several hours. At last he learned that SecLists had been yanked offline because MySpace contacted GoDaddy and requested it. One of the 50,000 pages on SecLists contained an e-mail in which somebody had listed the names and passwords of several MySpace users. Instead of asking Vaskovich to take down the page with passwords which is standard industry practice MySpace asked GoDaddy to squash the whole site. GoDaddy should have contacted Vaskovich first, and they could have asked for a legal takedown notice. But they didn’t.
What makes GoDaddy’s actions even more disgusting is that the passwords in question had been leaked about 10 days before GoDaddy took SecLists down. They appeared on dozens of other security-related and hacker Web sites. Security expert Bruce Schneier had even written a column in which he analyzed the quality of about 30,000 of the leaked passwords. (Among the top 10 popular passwords was "fuckyou," which completely mirrors my feelings for MySpace.)
So the point is passwords were already circuutf8g, and MySpace needed to tell its customers to change their passwords. Squelching SecLists wasn’t going to protect anyone. And yet GoDaddy’s general counsel, Christine Jones, defended its actions because she believed pedophiles would get access to children’s names and passwords. "For something that has safety implications like that, we take it really seriously," she told Wired News editor Kevin Poulsen. "I think the fact that we gave him notice at all was pretty generous."
Writing in his blog about the incident, Poulsen added, "Every link in internet service network operators, hosting companies, and now domain registrars willing to take on a censorship role increases the likelihood of legitimate content being suppressed." What this GoDaddy disaster makes clear is that instant censorship is possible, with no court oversight, at almost any point in the data chain. And for users who aren’t as savvy or well-connected as Vaskovich, getting shut down by GoDaddy would be essentially a death sentence for speech. Indeed, he told me that he couldn’t get any service from GoDaddy until he told their customer service rep that he spends thousands of dollars on domains with the company every month. Suddenly, he was told his two-day wait for service would be cut down to mere minutes.
In the short term, what this means is do not use GoDaddy as your registrar. Vaskovich has set up a protest site at NoDaddy.com, where you can learn more.
A spokesperson from GoDaddy said the company disagrees with the way Vaskovich characterized his experience. While the legal department at GoDaddy has not yet read the NoDaddy site, the spokesperson said the company will take legal action if any of its statements are untrue. Given that GoDaddy disputes Vaskovich’s story, such a suit seems inevitable. *
Annalee Newitz is a surly media nerd who still isn’t clear on how, exactly, a pedophile would figure out which passwords on SecLists belonged to children.