By Annalee Newitz
ON THE MORNING of Jan. 24, Fyodor Vaskovich awoke to discover that his website SecLists.org had been transformed into a giant error message. The message said his domain couldn't be resolved. This troubled him greatly: SecLists is an archive of several computer security-related mailing lists that contains more than 50,000 pages of technical information. It has thousands of visitors per day and nets Fyodor a fair amount of income from Google ads.
Where had the site gone? Fyodor checked with the registrar who had sold him his site, GoDaddy, and discovered the megacorporation had changed the site's name servers—addresses that tell your browser how to find the place where a website is hosted. Instead of his web host's name servers, he found this name server: ns1.suspended-for.spam-and-abuse.com.
What the hell? Fyodor checked his answering machine and found a message from somebody in the abuse department at GoDaddy telling him they were going to pull the plug on his domain. Based on his logs, it appeared that his name servers had been changed less than a minute after the call was made. Essentially, he'd been given a few seconds notice before a major Internet resource (and source of revenue) was shut down.
For the rest of the day, Fyodor was on the phone with GoDaddy trying to untangle what had happened. Luckily, he kept careful records that he later showed to reporters at CNET and Wired News—these records corroborated his story that he had been given less than a minute's notice, and that GoDaddy repeatedly refused to give him customer service for several hours.
At last, he learned that SecLists had been yanked offline because MySpace had contacted GoDaddy and requested it. One of the 50,000 pages on SecLists contained an email where somebody had listed the names and passwords of several MySpace users. Instead of asking Fyodor to take the page with passwords down—which is industry standard practice—MySpace asked GoDaddy to squash the whole site. GoDaddy didn't have to do it, however. They could have contacted Fyodor first, and they could have asked for a legal take-down notice from MySpace. Essentially, they could have provided minimal customer service and oversight. But they didn't.
What makes GoDaddy's actions even more disgusting is that the passwords in question had been leaked about 10 days before GoDaddy took SecLists down. They appeared on dozens of other security-related and hacker websites. Security expert Bruce Schneier had even written a column in which he analyzed the quality of about 30,000 of the leaked passwords. (Among the Top 10 popular passwords was "fuckyou," which completely mirrors my feelings for MySpace.)
So the point is, the cat was out of the bag. The passwords were circulating, and MySpace needed to tell its customers to change their passwords. Squelching SecLists wasn't going to help protect anyone. And yet GoDaddy's general counsel, Christine Jones, defended their actions because she believed pedophiles would get access to children's names and passwords: "For something that has safety implications like that, we take it really seriously," she told Wired News editor Kevin Poulsen. "I think the fact that we gave him notice at all was pretty generous."
Writing in his blog about the incident, Poulsen added, "Every link in Internet service—network operators, hosting companies and now domain registrars—willing to take on a censorship role increases the likelihood of legitimate content being suppressed." I couldn't have said it better. What this GoDaddy disaster makes clear is that instant censorship is possible, with no court oversight, at almost any point in the data chain. And for users who aren't as savvy or well-connected as Fyodor, getting shut down by GoDaddy would be essentially a death sentence for speech. Indeed, Fyodor told me that he couldn't get any service from GoDaddy until he told their customer-service rep that he spends thousands of dollars on domains with them every month. Suddenly, he was told his "two-day wait" for service would be cut down to mere minutes.
In the short term, what this means is do not use GoDaddy as your registrar. Fyodor has set up a protest site at NoDaddy.com if you want to learn more. As for the long-term sustainability of free speech online, I'm afraid we're at the mercy of capricious companies. I guess when MySpace users grow up they can decide whether it's worse to be censored by GoDaddy or the government.
Annalee Newitz (firstname.lastname@example.org) is a surly media nerd who still isn't clear on how, exactly, a pedophile would figure out which passwords on SecLists belonged to children.
Send a letter to the editor about this story.