[Infowarrior] - Seclists.Org shut down by Myspace and GoDaddy

[Richard Forno]

(c/o J)

http://seclists.org/nmap-hackers/2007/0000.html

Seclists.Org shut down by Myspace and GoDaddy

From: Fyodor <fyodor_at_insecure.org>
Date: Thu, 25 Jan 2007 01:47:47 -0800

Hi everyone,

Many of you reported that our SecLists.Org security mailing list archive
was down most of yesterday (Wed), and all you really need to know is that
we're back up and running! But I'm going into rant mode anyway in case you
care for the details.

I woke up yesterday morning to find a voice message from my domain
registrar (GoDaddy) saying they were suspending the domain SecLists.org.
One minute later I received an email saying that SecLists.org has "been
suspended for violation of the GoDaddy.com Abuse Policy". And also "if the
domain name(s) listed above are private, your Domains By Proxy(R) account
has also been suspended." WTF??! Neither the email nor voicemail gave a
phone number to reach them at, nor did they feel it was worth the effort
to explain what the supposed violation was. They changed my domain
nameserver to "NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM". Cute, eh?

I called GoDaddy several times, and all three support people I spoke with
(Craig, Ricky, then Wael) said that the abuse department doesn't take
calls. They said I had email abuse_at_godaddy.com (which I had already
done 3 times) and that I could then expect a response "within 1 or two
business days". Given that tens of thousands of people use SecLists.Org
every day, I didn't take that well. When they realized I was going to just
keep calling until they did something, they finally persuaded the abuse
department to explain why they cut me off: Myspace.Com asked them to.

Apparently Myspace is still reeling from all the news reports more than a
week ago about a list of 56,000 myspace usernames+passwords making the
rounds. It was all over the news, and reminded people of a completely
different list of 34,000 MySpace passwords which was floating around last
year. MySpace users fall for a LOT of phishing scams. They are basically
the new AOL. Anyway, everyone has this latest password list now, and it
was even posted (several times) to the thousands of members of the
fulldisclosure mailing list more than a week ago. So it was archived by
all the sites which archive full-disclosure, including SecLists.Org.

Instead of simply writing me (or abuse_at_seclists.org) asking to have the
password list removed, MySpace decided to contact (only) GoDaddy and try
to have the whole site of 250,000 pages removed because they don't like
one of them. And GoDaddy cowardly and lazily decided to simply shut down
the site rather than actually investigating or giving me a chance to
contest or comply with the complaint. Needless to say, I'm in the market
for a new registrar. One who doesn't immediately bend over for any large
corporation who asks. One who considers it their job just to refer people
to the SecLists.Org nameserver at 205.217.153.50, not to police the
content of the services hosted at the domains. The GoDaddy ToS forbids
hosting what they call "morally objectionable activities".

It is way too late for MySpace to put the cat back in the bag anyway. The
bad guys already have the file, and anyone else who wants it need only
Google for "myspace1.txt.bz2" or "duckqueen1". Is MySpace going to try and
shut down Google next?

For some reason, this is only one of a spate of bogus Seclists removal
requests. I do remove material that is clearly illegal or inappropriate
for SecLists.org (like the bonehead who keeps posting furry porn to
fulldisclosure). But one company sent a legal threat demanding[1] that I
remove a 7-year old Bugtraq posting which was a complaint about previous
bogus legal threats they had sent. Another guy[2] last week sent a
complaint to my ISP saying that an image was child porn and declaring that
he would notify the FBI. When asked why he thought the picture was of a
child, he tried a different tack: sending a DMCA complaint declaring under
penalty of perjury that he is the copyright holder of the photo! Michael
Crook told me on the phone that he sent the DMCA request, but when I
forwarded the info to the EFF (who is already suing this guy for sending
other bogus DMCA complaints), he changed his mind and wrote that "after
further review, I can find no record" or mailing the complaint.

Most of the censorship attempts are for the full-disclosure list. It would
be easiest just to cease archiving that list, but I do think it serves an
important purpose in keeping the industry honest. And many good postings
do make it through if you can filter out all the junk. So I'm keeping it,
no matter how "morally objectionable" GoDaddy and MySpace may think it to
be!

In much happier Nmap news, I'm pleased to report that the Nmap project now
has a public SVN server so you can always check out the latest version.
Due to a bug in SVN, we use a username as "guest" with no password rather
than anonymous. So check it out with the command:

svn co --username guest --password "" svn://svn.insecure.org/nmap

Then do the normal:
./configure
make

And install it or set NMAPDIR to "." to run in place. Among other goodies,
this release includes the Nmap scripting language[3].

If you want to follow Nmap development on a check-in by check-in basis,
there is a new nmap-svn mailing list[4] for that. But be prepared for some
high traffic as you'll get every patch!

2007 will be a good year for Nmap!

Cheers,
Fyodor

[1] http://seclists.org/nmap-dev/2006/q4/0302.html
[2] http://seclists.org/nmap-dev/2007/q1/0067.html
[3] http://insecure.org/nmap/nse/
[4] http://cgi.insecure.org/mailman/listinfo/nmap-svn