Computer security guru Fyodor (pictured) reports waking up yesterday to find his website SecLists.org essentially removed from the web by his domain registrar, GoDaddy. After a bunch of phone calls to GoDaddy, he eventually got them to explain why: Because MySpace asked them too.

SecLists provides public archives of over a dozen computer security mailing lists, including BugTraq and Full Disclosure. MySpace was apparently unhappy with a post that crossed Full Disclosure earlier this month, in which the author attached the spoils of a phishing attack against MySpace users, consisting of 56,000 user names and passwords.

These lists have surfaced in the security community before, allowing the white hats to see the data that the black hats have swindled out of unsuspecting users. Bruce Schneier did a fascinating analysis of an earlier

MySpace password list in his Wired News column last month. But MySpace has apparently decided to take a blunt instrument to this one. Fyodor writes:

Instead of simply writing me (or abuse_at_seclists.org) asking to have the password list removed, MySpace decided to contact (only) GoDaddy and try to have the whole site of 250,000 pages removed because they don't like one of them. And GoDaddy cowardly and lazily decided to simply shut down the site rather than actually investigating or giving me a chance to contest or comply with the complaint. Needless to say, I'm in the market for a new registrar. One who doesn't immediately bend over for any large corporation who asks. One who considers it their job just to refer people to the SecLists.Org nameserver at 205.217.153.50, not to police the content of the services hosted at the domains. The GoDaddy ToS forbids hosting what they call "morally objectionable activities". It is way too late for MySpace to put the cat back in the bag anyway. The bad guys already have the file, and anyone else who wants it need only

Google for "myspace1.txt.bz2" or "duckqueen1". Is MySpace going to try and shut down Google next?

The site is back up now, sans password file. But if the take down really happened this way (I have a call into GoDaddy, and an e-mail out to MySpace) it's disturbing. The usual DMCA-inspired path to scrub objectionable content from the web is to send a note to the administrator of the site demanding its removal, and, if that fails, to contact the hosting company or internet service provider.

There are plenty of incidents of this process being abused, but at least it leaves a clear trail of responsibility. You know from the get-go what the content at issue is, who objects to it, and why. Now it seems a company can bypass all that and get an entire site removed from the internet behind the owner's back.

Update: GoDaddy has responded. Read general counsel Christine Jones' comments here.

Photo: Jacob Appelbaum