MySpace demanded that GoDaddy pull the plug on Seclists.org, which hosts some 250,000 pages of mailing list archives and other resources, because a list of thousands of MySpace usernames and passwords was archived on the site.
GoDaddy complied. In a move that Seclists.org owner Fyodor Vaskovich said happened with no prior notice, the company deleted his domain name–causing his site to be effectively unreachable for about seven hours on Wednesday until he found out what was happening and removed the password list.
Towards the end of the article, my jaw hit my desk:
But, Jones said, GoDaddy has a 24-hour abuse department that deletes domain names used for spam or child pornography on a daily basis. “We’re not here to allow people to put illegal content on the Internet,” she said. “We take this safety and the security of the Internet very seriously…We take our responsibility pretty seriously. We’re the largest registrar in the world.”
So essentially GoDaddy sidesteps the hosting company that has the files, and deletes domains. The degrees of stupidity here is endless. GoDaddy received a complaint for spam, they kill the domain but the hosting account is still open – so the spammer can just switch domains and continue to send spam all day long. Of course the spammer could continue to send spam even with the domain deleted because the hosting account is still open. By deleting the domain the spammer is tipped off that he/she is busted and can clean their tracks. If GoDaddy receives a complaint about illegal information the domain is deleted but the files in question? Still around. The owner could just switch domain names if they “really” wanted that material online. In this case those 60,000 MySpace passwords are still mirrored across the internet. But I don’t see any announcements from MySpace warning users. I haven’t heard MySpace saying they changed the passwords for these users. I do see GoDaddy putting the domain back online but if the site owner broke their terms of service, why do that?
I realize almost all registrars have a clause in their terms of service they can delete domains and should in the case of extreme circumstances. If I was MySpace I’d be more concerned about changing those passwords since the login information is STILL on the internet and can STILL be used rather than asking GoDaddy to delete a domain and not solving the problem. MySpace claims to be protecting the kids but honestly, if they didn’t change those passwords or at least send out an email to warn them or better start to educate their users about these scams (especially the kids) – they didn’t do a good job did they?