We've seen a bunch of critical messages about GoDaddy go over the list
in the last few days. I'm happy to extend an invitation to someone at
the company if they want to reply. The closest we've seen so far is this:
http://news.com.com/5208-1025_3-0.html?forumID=1&threadID=24518&messageID=232062
"I am Ben Butler, the Director of Network Abuse at Go Daddy and I want
to personally address your posts regarding SecLists.org... An important
issue I would ask you to consider is one that is a top priority for us
at Go Daddy ? child exploitation or even the potential for it... I don't
know of any parent who wouldn't want their child?s username and password
protected."
Previous Politech message:
http://www.politechbot.com/2007/01/29/response-to-godaddys/
-Declan
-------- Original Message --------
Subject: Re: [Politech] More experiences with GoDaddy, free speech, and
domain deletion [fs]
Date: Fri, 26 Jan 2007 10:52:28 -0800
From: Tom Collins <tom@xxxxxxxxxxxx>
To: Declan McCullagh <declan@xxxxxxxx>
References: <45BA335B.2030306@xxxxxxxx>
Declan,
A good friend ran into a serious problem with GoDaddy. He had a
dedicated server with them, and when he confronted his sysadmin about
using the server to host sites for other people, the sysadmin freaked
out. Since the sysadmin had access to the GoDaddy account, he was
able to renew the domain registration with his credit card, change
the password and change the Registrant info. As a result, my friend
has lost complete control over the domain. Since the sysadmin made
the last payment on the account, he now "owns" it.
My friend lives in Scottsdale, where GoDaddy headquarters is located,
but there isn't a physical office you can visit (no surprise there).
To regain control of the domain, he needs to sue the sysadmin and get
a court order to force GoDaddy to hand the domain back.
As a result, he's registered a new domain name for their company
(using Dotster) and I'm hosting the site and email for them. What a
mess.
-Tom
-------- Original Message --------
Subject: Re: [Politech] MySpace, GoDaddy pull plug on computer security
domain name without warning [fs]
Date: Mon, 29 Jan 2007 23:33:53 -0500
From: Jim Davidson <davidson@xxxxxxxx>
Reply-To: davidson@xxxxxxxx
To: Declan McCullagh <declan@xxxxxxxx>
References: <45B9C4BE.9060301@xxxxxxxx>
Dear Declan,
Your comments are completely appropriate throughout.
MySpace has terrible log-in security. There is no way to get an SSL
link to log in securely.
As I understand it, all MySpace passwords are user generated, so many
of them are undoubtedly words found in the dictionary. Many users
have fairly obvious e-mail addresses, too, which is what passes for a
user name. So, learn a user's e-mail address (often by simply looking
at their MySpace page or a web link from their MySpace page) and then
their password may be one encrypted dictionary away.
If MySpace is serious about security, it can take a number of steps.
Adding https connections, at least as an option, lets those who have
decent passwords keep them private. MySpace could add server generated
usernames or passwords, or at least offer replacement passwords that
are reasonably strong server-generated random character strings.
Another very frequent problem I've encountered is bot-generated pages
on MySpace. Many of these pages come up with a covering image that
asserts the content is protected and for adults only, click on the
image to get special log in instructions. Endless phishing goes on
with MySpace log-in look-alike pages.
It is a minefield trying to keep a MySpace page secure. I see many
of my friends lose their passwords and then the bulletin board gets
loaded with spam apparently from their hijacked account. One friend
clicked on a MySpace message he received, found an offer for a nude
video of Britney Spears, clicked that, his MySpace session was suddenly
"lost" and he found himself at a screen requesting login. So, of
course, he logged in to a phishing site.
Yahoo mail and other sites such as Google don't have these apparent
difficulties. What do they do differently? I used to have to click
a particular link to get to Yahoo's SSL login, but now it seems to be
the default. Gmail has always had SSL login screens. Given user
selected usernames and passwords, SSL seems essential, to me.
MySpace seems to be run by amateurs, so it is not surprising that
they didn't bother to go to the site's owner before going to the
registrar demanding the plug be pulled.
As for GoDaddy, I find their attitude idiotic. Most of the people
I know are moving toward Tucows registrars (WontonGold is a good
one) or other alternatives.
Yes, GoDaddy can act as judge, jury, and executioner. But should
they? And, if they are going to sit in judgement, doesn't the
accused have rights? Right to present evidence in his defense, to
confront witnesses against him, to confront their testimony, to
take corrective action before having his domain eliminated?
Assuming these rights are not present in the GoDaddy contract,
then only a fool would register with GoDaddy. Or perhaps a
prospective litigant.
The principles of liberty embodied in the constitution are not
just a bunch of complex ideas. They are the distillation of
hundreds of years of common law and thousands of years of
mercantile law. Treating the accused with respect for certain
rights is better for everyone, not just the accused. It makes
for better results, a greater chance that justice prevails, it
reduces the potential for miscarriage of justice, for hard
feelings, and for bitterness.
Heavy handed brutality and torture may appeal to the socialists,
but they are wrong. They've always been wrong. Private property
and individual liberty make for a better society.
Regards,
Jim
http://indomitus.net/
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)