January 2007

No Daddy, please stop! Fyodor’s words.

So after the takedown of seclists.org, and all the different points of view that were being aired, on the various web sites, I decided to contact Fyodor and ask him exactly what happened, and what’s going to happen in the future in regard to godaddy.com. Once again, thanks to Fyodor for taking the time to answer my questions.
The following is taken from an interview that I did with Fyodor last night, so here it is:

In your words could you please describe what happened to
seclists.org, I know that you have probably been asked this countless
times, but there are also countless sites that don’t mention your
point of view? Also, on these same sites, some are saying that you
had 60 seconds warning, others are saying 60 minutes, what’s the
exact figure?

Basically, GoDaddy suspended one of the domain names I had registered
with them based on a complaint by MySpace without giving me a chance
to respond or requiring any sort of court order from MySpace. GoDaddy
wasn’t even my ISP or web host. Policing web content of the 18
million domains in their registry is not their job. Worse, it was
extraordinarily hard and frustrating to reach them and get an actual
reason for the shutdown. I’ve described the shutdown in far more
detail at http://NoDaddy.Com .

As for the timing, they left me a voicemail at ‘9:39:31 AM PST’
according to the time stamp from my voicemail provider. In the
voicemail, they say my domain is “scheduled for suspension”. Then at
‘9:40:23′ (according to my time-synced mail server) they emailed me a
“Domain Suspension Notice” saying that my “domain names have been
suspended”. So they only gave me 52 seconds to respond to their
voicemail! Plus, their voicemail didn’t include a phone number to
reach them at! I have posted both the email and voicemail recording at
NoDaddy.Com.

GoDaddy nevertheless tried to claim that they gave me an hour of
notice. Their general counsel Christine Jones was caught by Wired in
that lie at
http://blog.wired.com/27bstroke6/2007/01/godaddy_defends.html .

Aside from nodaddy.com do you plan on taking any action, namely
legal, against godaddy.com?

They certainly deserve it, and some lawyers have offered to help. But
I haven’t even asked them for monetary restitution for the damage they
have caused — I just want them to change their policies to be more
customer-friendly. Or if they don’t, I want their behavior to be
well-known so that other consumers can make a better choice. So
unless they do something outrageous (such as sueing me for speaking
out against them on NoDaddy.Com), I’m not presently planning any legal
action against GoDaddy.
Will you be taking any action against myspace.com because of this
atrocity at all?

I would cancel my account if I was pathetic enough to have one :).
They should have contacted me directly to remove the page. My email
address and phone number were availble on the public whois, and I also
watch the abuse@seclists.org email address for complaints about
illegal postings to the mailing lists. Ironically, GoDaddy shut down
the complaint email address when they shut down the whole doamin
SecLists.org.

So while MySpace made a mistake by sending the request directly to
GoDaddy, I hold GoDaddy much more culpable for agreeing to the
outrageous domain.

How much of an impact do you feel this had on the security
community in general?

I hope it has raised awarness of the problem of vigilante domain
registrars hijacking their customers’ domains because they find the
web content objectionable. This isn’t just a security community
issue, but an issue for all web sites. Particularly those which
accept user-generated content such as forum posts or blog comments.
My whole domain was shut down with no notice or reason immediately
given based on a 3rd party post I had nothing to do with.

How much of an impact has this had on your life?

It has kept me very busy for the last week. But I’m hoping it will
calm down so I can return to focusing the majority of my time to
maintaining Nmap and my web sites.

I know that it mentions this on nodaddy.com, but what can people
do to help on the nodaddy.com site?

The site is meant to be a community effort, so help is appreciated.
Here are some ideas:

o Forum Operator — If someone wants to start a web forum system where
uses can post their GoDaddy horror stores and seek advice, that
would be useful. We would be happy to provide a subdomain such as
forums.noddady.com for this.

o Webmaster help — If someone wants to help maintain the site content
(post new news stories, etc.), I would be happy for the help. They
need to know (or learn to use) the Subversion version detection system.

o Creative content, like cartoons, pictures for the “NoDaddy Girls”
contest, etc. The point of the site is to spread the word about
GoDaddy abuses, but also to have fun :).

Last but not least, any new and exciting things coming along in the
next release of nmap that you’d be willing to share?

We are very excited about a new scripting language, which is already
in alpha stage. You can see our writeup here:

http://insecure.org/nmap/nse/

Also, we have received tons of user OS submissions for the second
generation OS detection system http://insecure.org/nmap/osdetect/,
so the next release should work even better in that respect.

Coca-Cola Singapore, Nokia Canada defaced

The news portal of Coca-Cola Singapore is target of the recent defacement. The signature of the attacker is located in Windows 2003/IIS6 server still.

It appears that the home page of Coca-cola.com.sg was target in 2003 too.

Another global company attacked recently is Nokia Canada. Their Web site  www.nokia.ca/english/index.asp was offline on Monday, but there are some screenshot posted online. One of the weblogs reporting this case is Nokia Insider, related entry posted by ‘Nokia’. 😉
The target page was phone comparison page of Nokia.ca.

Canada, UK etc. seeking tax cheats with special Web crawler

This Wired news article reports that

A five-nation tax enforcement cartel has been quietly cracking down on suspected internet tax cheats, using a sophisticated web crawling program to monitor transactions on auction sites, and track operators of online shops, poker and porn sites.

The countries participating in this Xenon project are Austria, Canada, Denmark, The Netherlands and United Kingdom. They are in co-operation with Amsterdam-based data mining company Sentient Machine Research.

A very interesting detail is that the search process is very “slow” to prevent finding it in server logs!

Fyodor only gets 60 seconds warning?

Kevin Poulsen reports on the 27B Stroke 6 blog today that Fyodor’s (of nmap fame) SecLists.org website was shut down. Kevin followed up later with responses both from GoDaddy’s general counsel and Fyodor. Please take a look at Kevin’s writeups. He does an excellent job, as always.

Basically, Fyodor keeps a public archive of a bunch of mailing lists, including Full Disclosure. Someone by the address of alex323@gmail.com posted a copy of a myspace password list to Full Disclosure. Fyodor’s archive contained a copy. And so does every other archive, and every single one of us who subscribes directly has a copy, too.

Depending on whose story you believe, Fyodor was given either 1 minute or 1 hour of notice before they turned him off. We don’t know how long it was between when myspace asked and GoDaddy acted. Fyodor never got the message ahead of time, and GoDaddy made no attempt to ask for removal of the single attachment out of thousands and thousands of archived emails. And the password list had been there for days.
I belong to a couple of private groups that request domain shutdowns frequently, based on phishing sites, botnet C&Cs, and sites hosting malware being used to infect new victims. These are what I would tend to call legitimate reasons to shut down a domain. How long do you think it usually takes the group to have a domain shut down? Even for the most responsive registrars, it frequently takes several hours. How do we get the 1 minute turnaround, GoDaddy? Where’s the form we fill out?
So, no brownie points for GoDaddy and how they handled this. We can see who they are willing to jump for.  How about myspace? I think Fyodor’s own response it about as good as it gets. Just change the passwords on the compromised list, and notify the account owners.
So I have a question: If you know someone whose password was stolen, have they received any kind of notification? I suppose if I were a bit more enterprising, I could just mail them all and ask myself, or maybe just try the names and password on myspace, and see how many still work. After all, I’ve got a copy of the list, there’s nothing that would prevent me.