Fyodor only gets 60 seconds warning?

Kevin Poulsen reports on the 27B Stroke 6 blog today that Fyodor’s (of nmap fame) SecLists.org website was shut down. Kevin followed up later with responses both from GoDaddy’s general counsel and Fyodor. Please take a look at Kevin’s writeups. He does an excellent job, as always.

Basically, Fyodor keeps a public archive of a bunch of mailing lists, including Full Disclosure. Someone by the address of alex323@gmail.com posted a copy of a myspace password list to Full Disclosure. Fyodor’s archive contained a copy. And so does every other archive, and every single one of us who subscribes directly has a copy, too.

Depending on whose story you believe, Fyodor was given either 1 minute or 1 hour of notice before they turned him off. We don’t know how long it was between when myspace asked and GoDaddy acted. Fyodor never got the message ahead of time, and GoDaddy made no attempt to ask for removal of the single attachment out of thousands and thousands of archived emails. And the password list had been there for days.
I belong to a couple of private groups that request domain shutdowns frequently, based on phishing sites, botnet C&Cs, and sites hosting malware being used to infect new victims. These are what I would tend to call legitimate reasons to shut down a domain. How long do you think it usually takes the group to have a domain shut down? Even for the most responsive registrars, it frequently takes several hours. How do we get the 1 minute turnaround, GoDaddy? Where’s the form we fill out?
So, no brownie points for GoDaddy and how they handled this. We can see who they are willing to jump for.  How about myspace? I think Fyodor’s own response it about as good as it gets. Just change the passwords on the compromised list, and notify the account owners.
So I have a question: If you know someone whose password was stolen, have they received any kind of notification? I suppose if I were a bit more enterprising, I could just mail them all and ask myself, or maybe just try the names and password on myspace, and see how many still work. After all, I’ve got a copy of the list, there’s nothing that would prevent me.

  • http://www.BeyondSecurity.com Aviram

    This is disturbing on so many levels. Censorship, lack of notice, and lack of basic understanding (did they really not know who Fyodor is? Did they really not understand the concept of mailing lists mirror?)

    I guess everyone who is currently using godaddy (ourselves included) is asking themselves “can it happen to me?”

  • xyberpix

    has anyone actually spoken to Fyodor about this, to actually hear his view, or is it all heresay at this point?

  • Takedowner

    Have a phish site you need to take down? Post a copy of the password list on it and sic myspace at them.

    Have a bot host you need to take down? Post a copy of the password list on it and sic myspace at them.

  • http://www.BeyondSecurity.com Aviram

    xyberpix – Kevin Poulsen posted Fyodor’s response on his blog:

  • XenoMuta

    This social networks no-brainers are complete ignorants about security. They are ungrateful to security researchers. Instead of getting it all as a free security improvement, they pretend to prosecute and make a whole noise of it all.

    My experience: when you report these people about they’re vulns. they just ignore.

  • http://www.whiteacid.org Sid

    Actually myspace does fix flaws. It just doesn’t do it very well… it can be as bad as creating a filter for that exact string, but not any alteration of it.
    Also I don’t know if they fix reported flaws, but making FD will sure grab their attention.

    Imagine if MySpace did have a thankyou page to people reporting vulns. That would be almost as long as the list that seclists hosted.

  • http://networksecurity.typepad.com/ Juha-Matti

    MySpace guys don’t even know the basic facts. The SecLists.org is not the official archive site. The official archive is located at http://lists.grok.org.uk/pipermail/full-disclosure/ and most of the securiteam readers know there are several archive sites.
    Bad guys don’t need Google to catch the pw list.

  • Jason DePriest

    It’s hard to believe that a successful commercial company like GoDaddy can be bullied by pushy lawyers to jump through hoops, forgo due process, and stomp on the rights of one of their paying customers.

    Should GoDaddy have taken time to get more information and actually spoken or corresponded with Fyodor before blacklisting his site? Of course!

    Would you have acted differently in the same situation? Don’t be so sure. Words like “fines”, “punitive damages”, and especially “prison” can make you do things you normally wouldn’t.

    GoDaddy’s general counsel should have done some better advising, IMHO. Such as advising GoDaddy to investigate the claims and understand the technical details of the issue.

    Also, as was pointed out, seclists.org is only *one* of *many* archives of the Full Disclosure mailing list and not the only place to get the list.

    You’ve heard of closing the barn door after the horses are already out? Well, this was like closing a window in your house.

  • Michael Millard

    Fydor has been providing an important and major service to us for years. I suspect someone at GoDaddy themselves have relied on the information Fydor has helped supply. It is clearly insane and potentially beyound their legal rights to do what they did. Did they refund his money?

    I’m a professional in this field and I’m involved in the management of hundreds of websites. I can say without a reservation that GoDaddy isn’t going to ever make a dime from any client I can influence.

    My guess is they do this to people all the time. They didn’t realise what the site was they were terminating. 50,000 plus nmap users are probably going to have a real effect on GoDaddy’s bottom line.

    We’re only 50,000 people but GoDaddy should take into account what our profession’s are, who we are, and how much influence 50,000 Internet Security specialist might have on their market.

  • Dan Clayton

    Have a legit site you want to shutdown. If they use GoDaddy just post something that looks important. Heck you could probably call GoDaddy yourself and complain. It’s hard to say for sure it would work but it might.

    They Ultimate DOS Attack, tell GoDaddy on em.

    Somebody make a shirt. =)

  • me

    real simple solution, create a “Ban Godaddy.com” image banner and get you and all your friends to host it on your blog and other web sites. Hurt godaddy where it matters most…in the pocket.

  • Jen

    I am a newbie and I would like to ask the bloggers here for their advice on which registrar to go with.

    Thank you for any advice you could offer.