I’m sure everyone is going to be posting and abuzz about how MySpace got GoDaddy to drop Seclists.org. But what really makes me frustrated and angry is how often people make assumptions and how ignorant so many people can be (and apparently illiterate). Reading the comments here and here is just an exercise in working up a large frustration level with people who think Fyodor was the one who phished those accounts and then posted them on the site for everyone to grab. And so on. That frustration is what prompted this post, not the news item itself.
Big kudos to Fyodor for digging quickly to the heart of the matter in saying MySpace should have taken action to protect its users whose accounts were compromised, not trying to patch up an unpatchable leak.
Personally, despite my knowledge that security sucks still and botnets and phishing are out of control, I am not convinved that ISPs and registrars should be the police of the Internet. There is still a lot of vigilantism out there with non-official sources tracking down and raising cain about phishing sites and botnets and spambots and illegal or copyrighted material, which can end up with a lot of collateral damage as legitimate persons and innocent victims are infringed upon, especially with amatuer cowboys on their missions. I will say, however, that some of that is necessary and legitimate. F-Secure notifying an ISP or registrar about a known phishing site that is doing nothing but phishing is one thing, but non-experts doing it? I’m not sold on that idea.
Shame on MySpace for even pursuing this without at least a little bit of thought or investigation. They could have contact Fyodor themselves, they could have checked into the mailing list, they could have asked around or browsed the archives themselves to see what the whole story was. They could have (and should have!) notified their own users about the accounts and forced a password change. Wiping out a site when the accounts are already leaked and public domain does absolutely nothing to the integrity and security of MySpace and its users.
Shame on GoDaddy for their impatient reactions and also their own lack of follow-thru and investigation. GoDaddy should have experience and relations with known experts and groups who report phishing sites and other TOS violations. I doubt MySpace would or should be amongst those groups. Due process. As a customer of GoDaddy, I would expect due process and not a knee-jerk reaction based on which way the winds are blowing.