Fyodor only gets 60 seconds warning?
Kevin Poulsen reports on the 27B Stroke 6 blog today that Fyodor’s (of nmap fame) SecLists.org website was shut down. Kevin followed up later with responses both from GoDaddy’s general counsel and Fyodor. Please take a look at Kevin’s writeups. He does an excellent job, as always.
Basically, Fyodor keeps a public archive of a bunch of mailing lists, including Full Disclosure. Someone by the address of firstname.lastname@example.org posted a copy of a myspace password list to Full Disclosure. Fyodor’s archive contained a copy. And so does every other archive, and every single one of us who subscribes directly has a copy, too.
Depending on whose story you believe, Fyodor was given either 1 minute or 1 hour of notice before they turned him off. We don’t know how long it was between when myspace asked and GoDaddy acted. Fyodor never got the message ahead of time, and GoDaddy made no attempt to ask for removal of the single attachment out of thousands and thousands of archived emails. And the password list had been there for days.
I belong to a couple of private groups that request domain shutdowns frequently, based on phishing sites, botnet C&Cs, and sites hosting malware being used to infect new victims. These are what I would tend to call legitimate reasons to shut down a domain. How long do you think it usually takes the group to have a domain shut down? Even for the most responsive registrars, it frequently takes several hours. How do we get the 1 minute turnaround, GoDaddy? Where’s the form we fill out?
So, no brownie points for GoDaddy and how they handled this. We can see who they are willing to jump for. How about myspace? I think Fyodor’s own response it about as good as it gets. Just change the passwords on the compromised list, and notify the account owners.
So I have a question: If you know someone whose password was stolen, have they received any kind of notification? I suppose if I were a bit more enterprising, I could just mail them all and ask myself, or maybe just try the names and password on myspace, and see how many still work. After all, I’ve got a copy of the list, there’s nothing that would prevent me.