The GoDaddy-MySpace fiasco appears to have run its course. As I read blog posts and news stories, one thing that stood out was the intense focus on the legal and business implications of GoDaddy’s actions. I do not know the exact details, but I can speculate that “business” folks at MySpace contacted “business” folks at GoDaddy who then directed technical folks to act on the request to shut-down Seclists.org. GoDaddy and MySpace (but mostly GoDaddy) has been at the receiving end of a fair amount of negative P.R. as a result. Let’s put our business hats aside for a moment and put on our technical hats (after all this is a technology blog).
I think that if the folks at MySpace or GoDaddy had consulted with their in-house technical and information security resources a much simpler and effective solution could have been employed. It’s a big assumption on my part that in-house technical resources were not consulted going by the sheer stupidity of the public actions (or perhaps they were, and subsequently ignored, which is often the case).
Any sane information security person would have informed them of two very important things:
- On the Internet there is no “unpublish” feature. Once information is out there, you have to assume that it is there in perpetuity.
- Usernames and passwords, once compromised must be changed as the associated accounts are no longer secure.
The course of action that MySpace took was the exact opposite of what they could and should have done — run a script on the published list of usernames to permanently disable each one and contact the account owners about what they need to do to regain access. This would have been terribly inconvenient for all the users involved, but it would have made the leaked usernames inconsequential.
GoDaddy simply compounded things for itself by not pushing back on this and instead shutting down the domain at MySpace’s request.
There have been many blog posts asking people to reconsider using GoDaddy as a registrar, including this one by fellow LinkedIn blogger Marc Freedman. I thought about this and decided against it. First of all, it’s a huge pain to move active domains and even with careful planning there will likely be some site down time during the switch. Secondly, there is a cost associated with it.
I would switch if GoDaddy did this sort of thing repeatedly and blatantly. However I am not convinced this is the case. While it is more fun and buzz-worthy to bash GoDaddy on this issue from the grandiose perspective of freedom and laws, the truth of the matter is that this episode highlights one commonality between GoDaddy and MySpace — incompetent people. I somehow doubt switching registrars is going to provide any measure of protection.