Hi everyone,

Many of you reported that our SecLists.Org security mailing list
archive was down most of yesterday (Wed), and all you really need to
know is that we're back up and running!  But I'm going into rant mode
anyway in case you care for the details.

I woke up yesterday morning to find a voice message from my domain
registrar (GoDaddy) saying they were suspending the domain
SecLists.org.  One minute later I received an email saying that
SecLists.org has "been suspended for violation of the GoDaddy.com
Abuse Policy".  And also "if the domain name(s) listed above are
private, your Domains By Proxy(R) account has also been suspended."
WTF??!  Neither the email nor voicemail gave a phone number to reach
them at, nor did they feel it was worth the effort to explain what the
supposed violation was.  They changed my domain nameserver to
"NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM".  Cute, eh?

I called GoDaddy several times, and all three support people I spoke
with (Craig, Ricky, then Wael) said that the abuse department doesn't
take calls.  They said I had email abuse@godaddy.com (which I had
already done 3 times) and that I could then expect a response "within
1 or two business days".  Given that tens of thousands of people use
SecLists.Org every day, I didn't take that well.  When they realized I
was going to just keep calling until they did something, they finally
persuaded the abuse department to explain why they cut me off:
Myspace.Com asked them to.

Apparently Myspace is still reeling from all the news reports more
than a week ago about a list of 56,000 myspace usernames+passwords
making the rounds.  It was all over the news, and reminded people of a
completely different list of 34,000 MySpace passwords which was
floating around last year.  MySpace users fall for a LOT of phishing
scams.  They are basically the new AOL.  Anyway, everyone has this
latest password list now, and it was even posted (several times) to
the thousands of members of the fulldisclosure mailing list more than
a week ago.  So it was archived by all the sites which archive
full-disclosure, including SecLists.Org.

Instead of simply writing me (or abuse@seclists.org) asking to have
the password list removed, MySpace decided to contact (only) GoDaddy
and try to have the whole site of 250,000 pages removed because they
don't like one of them.  And GoDaddy cowardly and lazily decided to
simply shut down the site rather than actually investigating or giving
me a chance to contest or comply with the complaint.  Needless to say,
I'm in the market for a new registrar.  One who doesn't immediately
bend over for any large corporation who asks.  One who considers it
their job just to refer people to the SecLists.Org nameserver at
205.217.153.50, not to police the content of the services hosted at
the domains.  The GoDaddy ToS forbids hosting what they call "morally
objectionable activities".

It is way too late for MySpace to put the cat back in the bag anyway.
The bad guys already have the file, and anyone else who wants it need
only Google for "myspace1.txt.bz2" or "duckqueen1".  Is MySpace going
to try and shut down Google next?

For some reason, this is only one of a spate of bogus Seclists removal
requests.  I do remove material that is clearly illegal or
inappropriate for SecLists.org (like the bonehead who keeps posting
furry porn to fulldisclosure).  But one company sent a legal threat
demanding[1] that I remove a 7-year old Bugtraq posting which was a
complaint about previous bogus legal threats they had sent.  Another
guy[2] last week sent a complaint to my ISP saying that an image was
child porn and declaring that he would notify the FBI.  When asked why
he thought the picture was of a child, he tried a different tack:
sending a DMCA complaint declaring under penalty of perjury that he is
the copyright holder of the photo!  Michael Crook told me on the phone
that he sent the DMCA request, but when I forwarded the info to the
EFF (who is already suing this guy for sending other bogus DMCA
complaints), he changed his mind and wrote that "after further review,
I can find no record" or mailing the complaint.

Most of the censorship attempts are for the full-disclosure list.  It
would be easiest just to cease archiving that list, but I do think it
serves an important purpose in keeping the industry honest.  And many
good postings do make it through if you can filter out all the junk.
So I'm keeping it, no matter how "morally objectionable" GoDaddy and
MySpace may think it to be!

In much happier Nmap news, I'm pleased to report that the Nmap project
now has a public SVN server so you can always check out the latest
version. Due to a bug in SVN, we use a username as "guest" with no
password rather than anonymous.  So check it out with the command:

svn co --username guest --password "" svn://svn.insecure.org/nmap

Then do the normal:
./configure
make

And install it or set NMAPDIR to "." to run in place.  Among other
goodies, this release includes the Nmap scripting language[3].

If you want to follow Nmap development on a check-in by check-in
basis, there is a new nmap-svn mailing list[4] for that.  But be
prepared for some high traffic as you'll get every patch!

2007 will be a good year for Nmap!

Cheers,
Fyodor

[1] http://seclists.org/nmap-dev/2006/q4/0302.html
[2] http://seclists.org/nmap-dev/2007/q1/0067.html
[3] http://insecure.org/nmap/nse/
[4] http://cgi.insecure.org/mailman/listinfo/nmap-svn