Author: geeta1
Opinion: When a vendor says they can cancel your service because they don't like you, it's time to look elsewhere. Consider the capriciousness and hypocrisy of what Go Daddy did to Fyodor Vaskovich.
Not many of us actually read all the legal agreements we enter into and this problem has gotten far worse in the era of the Internet. We all agree to licenses and contracts that we don't take seriously.
Fyodor Vaskovich found out the hard way that some terms of service are so arbitrary and capricious that they mean whatever the vendor wants them to mean. Vaskovich operates seclists.org, a mailing list archive site for most of the really important security mailing lists. This means that if someone posts content to those lists, he stores it on that site.
As Vaskovich explains in this e-mail, the day before Christmas he got a voice mail from Go Daddy saying that they were suspending his domain seclists.org. One minute later he received an e-mail from them that the domain "has been suspended for violation of the GoDaddy.com Abuse Policy."
Normally, Go Daddy doesn't respond to inquiries about why they have suspended a domain for a business day or two, but he was able to prod them into revealing that they had shut down the domain because My Space had asked them to. A list of 34,000 My Space user names and passwords was posted to the very popular Full-Disclosure list and therefore archived by seclists.org. Instead of contacting Vaskovich, My Space approached Go Daddy and had them shut off his domain.
Before I get to Go Daddy’s behavior, I must wonder what My Space’s goal is here. The list of usernames and passwords went out on a mailing list and thousands of outsiders have it already, irrespective of whether the archived version is available. The cat's out of the bag and My Space, at a minimum, must void the passwords and force those users to reset theirs. What is accomplished by taking the list down? They only reinforce the reasonable conclusion that they don't know what they are doing. And why not go through the site admin? As Vaskovich said himself: "I would cancel my [My Space] account if I was pathetic enough to have one."
Go Daddy’s Policies
So what's Go Daddy’s excuse? I can imagine that posting usernames and passwords is reasonable grounds for taking action, but what exactly does their policy say? Go Daddy’s Legal Agreements page has a lengthy list of policies, including their "Universal Terms of Service". Let's review some excerpts:
Go Daddy reserves the right to terminate Services if your usage of the Services results in, or is the subject of, legal action or threatened legal action, against Go Daddy or any of its affiliates or partners, without consideration for whether such legal action or threatened legal action is eventually determined to be with or without merit.
OK, that's pretty clear. All someone (My Space for example) has to do is threaten Go Daddy and Go Daddy has the right to cancel your service. But the next paragraph is the one that really caught my eye:
Except as set forth below, Go Daddy may also cancel Your use of the Services, after thirty (30) days, if You are using the Services, as determined by Go Daddy in its sole discretion, in association with spam or morally objectionable activities. Morally objectionable activities will include, but not be limited to: activities designed to defame, embarrass, harm, abuse, threaten, slander or harass third parties; activities prohibited by the laws of the United States and/or foreign territories in which You conduct business; activities designed to encourage unlawful behavior by others, such as hate crimes, terrorism and child pornography; activities that are tortuous, vulgar, obscene, invasive of the privacy of a third party, racially, ethnically, or otherwise objectionable; ... [Emphasis mine]
Vulgar? Obscene? Embarrassing? Talk about ThePotCallingTheKettleBlack.com! (Predictably, that name is parked and owned by a domain broker.) Go Daddy practically invented vulgarity. Their Super Bowl ads, worthy of a class of 14-year-old boys for their creativity, embarrass the NFL, not to mention most decent people who watch them. I enjoy a good dirty joke as much as anyone, but Go Daddy’s soft-core attempts at humor just fails.
Go Daddy also claimed to wired that they gave Vaskovich "close to an hour" to respond to them, but Vaskovich posted the voice mail and e-mail showing that this claim was false. It's a "he said-Go Daddy said" thing, but I believe Vaskovich. Even if they had provided an hour, so what? They didn't provide a phone number; just a generic e-mail address (abuse@godaddy.com) and they don't claim to respond to it promptly.
Go Daddy CEO Bob Parsons has a popular blog in which he doesn't hesitate to criticize others. He's been conspicuously silent about the outrage over his company's actions. I can't imagine that many people have respect for Go Daddy they are likely to lose as a result of this and security experts are a small market, so maybe Parsons doesn't care. But we're still looking for a credible response.
Opinion: When a vendor says they can cancel your service because they don't like you, it's time to look elsewhere. Consider the capriciousness and hypocrisy of what Go Daddy did to Fyodor Vaskovich.
Not many of us actually read all the legal agreements we enter into and this problem has gotten far worse in the era of the Internet. We all agree to licenses and contracts that we don't take seriously.
Fyodor Vaskovich found out the hard way that some terms of service are so arbitrary and capricious that they mean whatever the vendor wants them to mean. Vaskovich operates seclists.org, a mailing list archive site for most of the really important security mailing lists. This means that if someone posts content to those lists, he stores it on that site.
As Vaskovich explains in this e-mail, the day before Christmas he got a voice mail from Go Daddy saying that they were suspending his domain seclists.org. One minute later he received an e-mail from them that the domain "has been suspended for violation of the GoDaddy.com Abuse Policy."
Normally, Go Daddy doesn't respond to inquiries about why they have suspended a domain for a business day or two, but he was able to prod them into revealing that they had shut down the domain because My Space had asked them to. A list of 34,000 My Space user names and passwords was posted to the very popular Full-Disclosure list and therefore archived by seclists.org. Instead of contacting Vaskovich, My Space approached Go Daddy and had them shut off his domain.
Before I get to Go Daddy’s behavior, I must wonder what My Space’s goal is here. The list of usernames and passwords went out on a mailing list and thousands of outsiders have it already, irrespective of whether the archived version is available. The cat's out of the bag and My Space, at a minimum, must void the passwords and force those users to reset theirs. What is accomplished by taking the list down? They only reinforce the reasonable conclusion that they don't know what they are doing. And why not go through the site admin? As Vaskovich said himself: "I would cancel my [My Space] account if I was pathetic enough to have one."
Go Daddy’s Policies
So what's Go Daddy’s excuse? I can imagine that posting usernames and passwords is reasonable grounds for taking action, but what exactly does their policy say? Go Daddy’s Legal Agreements page has a lengthy list of policies, including their "Universal Terms of Service". Let's review some excerpts:
Go Daddy reserves the right to terminate Services if your usage of the Services results in, or is the subject of, legal action or threatened legal action, against Go Daddy or any of its affiliates or partners, without consideration for whether such legal action or threatened legal action is eventually determined to be with or without merit.
OK, that's pretty clear. All someone (My Space for example) has to do is threaten Go Daddy and Go Daddy has the right to cancel your service. But the next paragraph is the one that really caught my eye:
Except as set forth below, Go Daddy may also cancel Your use of the Services, after thirty (30) days, if You are using the Services, as determined by Go Daddy in its sole discretion, in association with spam or morally objectionable activities. Morally objectionable activities will include, but not be limited to: activities designed to defame, embarrass, harm, abuse, threaten, slander or harass third parties; activities prohibited by the laws of the United States and/or foreign territories in which You conduct business; activities designed to encourage unlawful behavior by others, such as hate crimes, terrorism and child pornography; activities that are tortuous, vulgar, obscene, invasive of the privacy of a third party, racially, ethnically, or otherwise objectionable; ... [Emphasis mine]
Vulgar? Obscene? Embarrassing? Talk about ThePotCallingTheKettleBlack.com! (Predictably, that name is parked and owned by a domain broker.) Go Daddy practically invented vulgarity. Their Super Bowl ads, worthy of a class of 14-year-old boys for their creativity, embarrass the NFL, not to mention most decent people who watch them. I enjoy a good dirty joke as much as anyone, but Go Daddy’s soft-core attempts at humor just fails.
Go Daddy also claimed to wired that they gave Vaskovich "close to an hour" to respond to them, but Vaskovich posted the voice mail and e-mail showing that this claim was false. It's a "he said-Go Daddy said" thing, but I believe Vaskovich. Even if they had provided an hour, so what? They didn't provide a phone number; just a generic e-mail address (abuse@godaddy.com) and they don't claim to respond to it promptly.
Go Daddy CEO Bob Parsons has a popular blog in which he doesn't hesitate to criticize others. He's been conspicuously silent about the outrage over his company's actions. I can't imagine that many people have respect for Go Daddy they are likely to lose as a result of this and security experts are a small market, so maybe Parsons doesn't care. But we're still looking for a credible response.
No comments:
Post a Comment