×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GoDaddy Wants Your Root Password

samzenpus posted more than 4 years ago | from the seems-fair dept.

Security 236

Johnny Fusion writes "The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials. There is an update where GoDaddy explains itself and says they will change policy."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

236 comments

OK - here it is (-1, Offtopic)

abbynormal brain (1637419) | more than 4 years ago | (#31266912)

DrKn0ck3rs

Re:OK - here it is (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31266922)

I'd like to root your mom with my cock.

Re:OK - here it is (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#31266984)

that's what she said

Re:OK - here it is (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31267106)

that reminds me... last night I was browsing porn videos, trying to get my wank on. Nothing was really doing it for me, the selection really sucked. Then I found this amateur video, some dude fucking his wife. She was too fat but at least had the decency to shave her pussy. I couldn't put my finger on it but she looked strangely familiar for some reason. Anyhow, the dude was fucking her with the tiny penis, I mean, he was hung like a hamster. Or asian. Or maybe an asian hamster. Then it panned back to her face and it hit me: THAT WAS KATHLEEN FENT!!! Yeah, and Rob Malda with his fucking 3" baby dick. lol, too creepy.

Re:OK - here it is (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#31266928)

Where'd you get my password!?!?!?! And why are you posting it on /.!?!?!

Fail (0)

Anonymous Coward | more than 4 years ago | (#31266948)

Apparently submitter didn't RTFA.

Fail.

They physically own the box (5, Insightful)

SpazmodeusG (1334705) | more than 4 years ago | (#31266956)

You already trust them 100% if you let them have access to your box

/That sounded wrong somehow

Re:They physically own the box (1)

LostCluster (625375) | more than 4 years ago | (#31266974)

Yep. Reminds me of when I tried to set up a firewall password for a software vendor, only to find my boss constantly deleting it. He wanted to make a big deal out of every time they wanted to log in... I had problems that only they could solve so I needed them in frequently. He was basically wasting my time.

Re:They physically own the box (1)

mysidia (191772) | more than 4 years ago | (#31267382)

Well, I understand why he'd want to delete it. But a password expiration should be used instead, and it shouldn't be removed until a period of time when it is no longer going to be frequently needed.

Re:They physically own the box (1, Informative)

Anonymous Coward | more than 4 years ago | (#31267628)

Two things:

First, your boss is right - it *should* be a big deal each time an external party wants access to your system.

Second, your boss wasn't wasting *your* time. As you were being paid by him, it was his time you were wasting.

Re:They physically own the box (0)

Anonymous Coward | more than 4 years ago | (#31267176)

TWSS

The question is if GoDaddy is trustworthy. (5, Informative)

Futurepower(R) (558542) | more than 4 years ago | (#31267224)

That's not the question. The question is if GoDaddy is trustworthy.

Judge for yourself. Here are some stories about GoDaddy on Slashdot, in order by date:
Go Daddy Usurps Network Solutions [slashdot.org] (2005-05-04)
GoDaddy Serves Blank Pages to Safari & Opera [slashdot.org] (2005-12-08)
GoDaddy.com Dumps Linux for Microsoft [slashdot.org] (2006-03-23)
GoDaddy Holds Domains Hostage [slashdot.org] (2006-06-17)
GoDaddy Caves To Irish Legal Threat [slashdot.org] (2006-09-16)
MySpace and GoDaddy Shut Down Security Site [slashdot.org] (2007-01-26) That incident prompted this web site:
Exposing the Many Reasons Not to Trust GoDaddy with Your Domain Names [nodaddy.com] .
Alternative Registrars to GoDaddy? [slashdot.org] (2007-02-03)
GoDaddy Bobbles DST Changeover? [slashdot.org] (2007-03-11)
850K RegisterFly Domains Moved To GoDaddy [slashdot.org] (2007-05-29)
According to this March 11, 2008 story in Wired, GoDaddy shut down an entire web site of 250,000 pages because of one archived mailing list comment: GoDaddy Silences Police-Watchdog Site RateMyCop.com [wired.com] . See below for Slashdot's story about RateMyCop.com.
GoDaddy Silences RateMyCop.com [slashdot.org] (2008-03-12)
ICANN Moves Against GoDaddy Domain Lockdowns [slashdot.org] (2008-04-08)
GoDaddy VP Caught Bidding Against Customers [slashdot.org] (2008-06-29)

Those are just the stories until July of 2008.

GoDaddy's reputation is not just one of extremely negative stories. In my opinion, GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable.

Here are some of the opinions of Bob Parsons, the owner of GoDaddy. He is pro-violence: Close Gitmo? No way!! [archive.org]

He uses women's bodies to advertise: Bob Parson's Video Blog [bobparsons.tv] .

Re:The question is if GoDaddy is trustworthy. (-1, Offtopic)

goldaryn (834427) | more than 4 years ago | (#31267254)

Mods, now is the time for action

Mod this man up +5 Informative, stat. The most deserving post I have seen for a long LONG time

Another story, partly about GoDaddy. Chilling. (5, Informative)

Futurepower(R) (558542) | more than 4 years ago | (#31267324)

Quote from the story, Registrars Still Ignoring ICANN Rules [slashdot.org] : "Over a year ago ICANN moved to clean up misbehaving registrars like GoDaddy..." (2009-07-22)

Another quote from that Slashdot story: "GoDaddy (and their reseller arm, Wild West Domains) have a different problem: They still block transfers for 60 days after a registrant's contact update, even after the ICANN update specifically prohibited doing so."

Re:Another story, partly about GoDaddy. Chilling. (1)

shentino (1139071) | more than 4 years ago | (#31267422)

Sounds like a breach of contract between Godaddy and whoever gave them their "regisrar license", yes?

Or is it Verisign's job to police godaddy?

Re:Another story, partly about GoDaddy. Chilling. (1)

interval1066 (668936) | more than 4 years ago | (#31267756)

Sounds like business as usual to me. I've written about this on /. before; I've had personal dealings with people associated with GoDaddy and a few of their own employees. Jay Westerdahl (google the jerk) runs (ran?) a company that was very tight with GoDaddy. I never got a very warm feeling from the man and heard interesting thing from his associates about the people who run GoDaddy. All I can do is makes accusations; but if you ever find yourself looking for work or isp partnerships in Seattle don't do them with GoDaddy or Name Intelligence. Not even sure NI is still in business. What I can say about Westerdahl is he started domaintools.com in his garage or something and hit it big with a website giving its subscribers access to tools commonly available on any unix system. Can't argue with success, but then to work the kid, he makes you feel every inch of his economic superiority over you. Of course, if your a possible business partner, he will ask you if he can s*** your d***. And Ray King (aboutus.com); idiot.

Re:The question is if GoDaddy is trustworthy. (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31267370)

Here are some of the opinions of Bob Parsons, the owner of GoDaddy. He is pro-violence: Close Gitmo? No way!! [archive.org]

When you cite the man's blog that has absolutely nothing to do with the hosting company he is CEO of, to state that he is "pro-violence", you kind of blow your the credibility of your argument. Please keep your personal political opinions out of non-political debates. What you did there is no better than any other meritless political smear campaign.

The rest of your post was spot-on, though, and I wouldn't trust GoDaddy with my first name.

Re:The question is if GoDaddy is trustworthy. (0, Offtopic)

Rob the Bold (788862) | more than 4 years ago | (#31267410)

Here are some of the opinions of Bob Parsons, the owner of GoDaddy. He is pro-violence: Close Gitmo? No way!! [archive.org]

When you cite the man's blog that has absolutely nothing to do with the hosting company he is CEO of, to state that he is "pro-violence", you kind of blow your the credibility of your argument. Please keep your personal political opinions out of non-political debates. What you did there is no better than any other meritless political smear campaign.

The rest of your post was spot-on, though, and I wouldn't trust GoDaddy with my first name.

You can base your opinion of a corporation on the politics of its CEO. Unless you're afraid that ACs will criticize you . . . No, it't the Anonymous Cowards!!!!1! Oh noes!

But seriously, folks. If a CEO is naive enough to think that no one will be impressed by his politics, positively or negatively, it's hard to imagine how he got so far in the first place. More likely, a CEO figures he'll play the percentages. That's how smart managers win ball games.

Re:The question is if GoDaddy is trustworthy. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31267762)

You can base your opinion of a corporation on the politics of its CEO

Sure you can, and many people do.

But the statement

He is pro-violence: Close Gitmo? No way!

is inflammatory. To start with it is opinion presented as fact. Even following the link & reading it the statement the CEO's postition on violence is debatable since it isn't talking about "violence" but a specific situation, yet the poster presented it as a sweeping generalization of the CEO's entire belief system. It also is carefully phrased to imply that there is something wrong with being pro-violence, which is ALSO opinion & a debatable issue.

The poster then proceeds to switch subject tracks entirely & go off on some type of radical feminist rant. Yes, they do use women's bodies as advertising, that's not exactly a secret you know. The statement is also presented with the connotation that this is a Bad Thing, which is the poster's opinion and open for debate. The poster is obviously biased since there is no mention of using Men's bodies as advertising.

Unless you're afraid that ACs will criticize you . . . No, it't the Anonymous Cowards

First, I post both anon and under my name depending on where I am.
Second, I don't give a shit if you're posting AC or not, it doesn't make your points or opinions any more or less worthwhile.

So while the poster managed to fool a bunch of mods into giving him an interesting tag, all the post really amounts to is a series of Redundant links to former slashdot articles, followed by some crafty Flamebait.
Which, after looking over his comment history, is pretty much par for the course.

Re:The question is if GoDaddy is trustworthy. (5, Informative)

Anonymous Coward | more than 4 years ago | (#31267412)

"GoDaddy's reputation is not just one of extremely negative stories. In my opinion, GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable. "

This is quite an understatement. I do occasional web development on the side, and I recently had my first client in a while. I told her to go ahead and sign up for the domain with GoDaddy, but she said she couldn't figure out what to do. So I helped her out in person and I couldn't *believe* the amount of crap they try to push on you. Pages full of options and "upgrades" and packages on every step ... even after you finish your purchase! It's a tremendously confusing experience for someone who doesn't know how to filter out the signal from the noise.

Re:The question is if GoDaddy is trustworthy. (1)

Hurricane78 (562437) | more than 4 years ago | (#31267518)

That's not the question. The question is if GoDaddy is trustworthy.

[Huge list of news, showing GoDaddy’s questionable trustworthiness]

I think you just answered that question. ;)

Also, (I know that looks are not really relevant) why does he look like a cross of Hannibal Lecter and a child molester? (I swear, looks can’t be that irrelevant, considering [statistically significantly] how often they fit. ;)

Re:The question is if GoDaddy is trustworthy. (1)

Runaway1956 (1322357) | more than 4 years ago | (#31267558)

"GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable."

I work nights. Sometimes, I'm actually in the shop to listen to the radio. It seems that every 15 minutes, one company or another is pitching some worthless product, trying to scare the dumb consumer into purchasing some "security" product.

"Hi, I'm former Police Chief Frazzle Brain. Did you know that online indentity theft is the fastest growing crime in America? Send me $100 and I'll protect you!"

Can't help wondering how many clueless people send him the money . . . .

Re:The question is if GoDaddy is trustworthy. (0)

Anonymous Coward | more than 4 years ago | (#31267610)

GoDaddy's reputation is not just one of extremely negative stories. In my opinion, GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable.
Here are some of the opinions of Bob Parsons, the owner of GoDaddy. He is pro-violence: Close Gitmo? No way!! [archive.org]
He uses women's bodies to advertise: Bob Parson's Video Blog [bobparsons.tv].

You almost had me up until this point.

1. That's called marketing & sales. Not saying I agree with it, but that claim can be made about just about any company out there.
2. The owner's positions on violence, gitmo, and the color of underwear (if any) which he uses are of ZERO importance. If you want to go on some moral crusade because of a companies religious beliefs feel free, but don't bring it into this discussion as it's completely irrelevant.
3. See point 1 verbatim. I also notice you aren't having any moral outrage over anybody using Men's bodies to advertise, which also makes you a hypocrite.

So which competing hosting company are you schilling for?

Re:The question is if GoDaddy is trustworthy. (0)

Anonymous Coward | more than 4 years ago | (#31267622)

Wow, maybe you have had a bad experience with them? Seemed ready to go for that one. I love the "pro-violence" and advertising on women's bodies, for shame :) Personally I have never used them and will not ever because of folks I know, who had issues. Not trust related though. Sorry carry on.

Re:They physically own the box (4, Insightful)

Hurricane78 (562437) | more than 4 years ago | (#31267444)

Yes and no. It’s like having an apartment. The landlord might own it. But it’s still highly illegal for him to go into your apartment without you allowing it. It’s the same thing as breaking it.

The question of trust was not the point. The point is, that the landlord is telling you, to give you a copy of keys of the apartment, or he’d throw you out.
In Germany, he would get dragged to court, and lose big time, when trying this on anyone.

The same should be true for GoDaddy. Everything else would be laws not keeping up with progress.

Re:They physically own the box (1)

postbigbang (761081) | more than 4 years ago | (#31267486)

It's unethical and definitely borders on breach, not to mention access laws in many jurisdictions.

It's bad behavior, and given their track record, they'll pull something like this again. Just loved those cuties at CES this year....

So who's your daddy? OoooOoooh YeeaaaH! (-1, Offtopic)

viraltus (1102365) | more than 4 years ago | (#31266958)

What can you expect with that name?

Re:So who's your daddy? OoooOoooh YeeaaaH! (0)

Anonymous Coward | more than 4 years ago | (#31267172)

CENSORSHIP IN Slashdot!? WTF!! Otherwise how can you go from GOOD to BAD Karma WITHOUT negative mods????

That's funny... your post history shows otherwise. If you don't want to have such awful karma, stop posting stupid shit all the time... Like the post you just made.

Feature, not a bug. (4, Interesting)

LostCluster (625375) | more than 4 years ago | (#31266960)

When my trivia game was hosted at EV1Servers (now part of The Planet company) I kept my root password on file with them at all times, and quite a few times support logged in and helped me with a problem, like telling me the reason my webserver went down was that the Warnings file in Apache had hit the Linux system limit.

This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.

Nothing to see here... move along.

Re:Feature, not a bug. (5, Insightful)

Neil Blender (555885) | more than 4 years ago | (#31266988)

Why not just create an alternate account with sudo for them? Why give them root?

Re:Feature, not a bug. (1)

LostCluster (625375) | more than 4 years ago | (#31267042)

If you give them a non-root user with all of the privileges of root, there's no way for them to know if you've really given them root. You're trying rule-out possible problems, you don't want to give support a false answer they can hang their hat on.

Re:Feature, not a bug. (3, Informative)

Neil Blender (555885) | more than 4 years ago | (#31267094)

If you give them a non-root user with all of the privileges of root, there's no way for them to know if you've really given them root.

sudo su

Re:Feature, not a bug. (2, Informative)

SpaceLifeForm (228190) | more than 4 years ago | (#31267162)

sudo su -

Re:Feature, not a bug. (2, Informative)

Tacvek (948259) | more than 4 years ago | (#31267458)

Don't you mean "sudo -i". That will launch a root login shell. Using "sudo su -" just makes it look like you never read the sudo manpage.

Re:Feature, not a bug. (1)

zoe23 (1269742) | more than 4 years ago | (#31267584)

Or you're using an older version of sudo that doesn't accept "-i" (e.g. =RHEL4)

Re:Feature, not a bug. (1)

Runaway1956 (1322357) | more than 4 years ago | (#31267588)

Few people RTFA, why would they read a manpage? Come on, this is EARTH, the place with upright monkeys walking around, claiming to be intelligent. No one reads manpages!

Re:Feature, not a bug. (4, Interesting)

mysidia (191772) | more than 4 years ago | (#31267502)

Two things... (1) of course they can determine that after logging in with the credentials.

(2) Godaddy is using fricking Virtuozzo as their VPS hosting platform right?

They technically then don't NEED the root password at all if so.

In theory, they could 'vzctl enter' a customer's VPS from the host node. To be clear: _entering_ a container, spawns a new shell child process with the customer's VZPID, such that the child shell is actually created inside the customer's VPS.

Now there might be some reasons they wouldn't want to do this, or that they'd want to wrap that in additional layers.

Well, the reason is entering a VPS from the host node potentially places the VPS they have entered in control of the user's terminal.

That could in theory be a security risk to GoDaddy's own system.

So by getting the VPS root password, they can enter the VPS over the network, instead of through the hardware node.... thus, not ensuring a VPS can never have control over a terminal logged into the hardware node.

Basically, this is more sound security wise.

Anyways... there definitely doesn't seem to be anything wrong with GoDaddy gaining access to a customer VPS on an official basis, for good reasons, to investigate possible customer abuse or malware.

As long as they follow professional standards, respect customer privacy completely, do not conduct any abuses, such as stealing leaking info, or gratifying personal curiosities (IOW: no abuse whatsoever) -- basically everything you would expect from an admin of Gmail or Yahoo mail (as in not reading your e-mail and using it for personal uses, to satisfy curiosities, blackmail you, etc...).

Oh yeah, and that they exclude any utilization they generate from the customers' bandwidth / resource bills.

Re:Feature, not a bug. (5, Insightful)

lymond01 (314120) | more than 4 years ago | (#31267044)

Why not just create an alternate account with sudo for them?

If I had mod points, I'd bump you up. Your password is your password. Who knows what else a person uses that password for...trying to gain access by using it is tantamount to a phishing scheme. Get your own damn password.

Re:Feature, not a bug. (1)

maxume (22995) | more than 4 years ago | (#31267078)

That is entirely the wrong way to do paranoia.

Re:Feature, not a bug. (1)

camperdave (969942) | more than 4 years ago | (#31267768)

I'm doing paranoia the right way. You're just saying that to get me to lower my guard. My paranoia is good enough, isn't it? What if it isn't? What if you're right? Maybe I am doing paranoia the wrong way. Oh goodness, maybe they already know I'm doing it wrong. Maybe they've already gotten in. Help me!

Re:Feature, not a bug. (1)

Thinboy00 (1190815) | more than 4 years ago | (#31267154)

If they have root or sudo then they can change your password behind your back... unless you have a restrictive /etc/sudoers file.

Re:Feature, not a bug. (1)

dissy (172727) | more than 4 years ago | (#31267528)

If they have root or sudo then they can change your password behind your back... unless you have a restrictive /etc/sudoers file.

Change yes. View no.

Me giving you root access to my machine does not necessarily give you my passwords.
An easily brute forced hashing for passwords would, as would you installing some software to wait and log when i next typed in a password.

But both of those are illegal, and one would assume a ligit company would not want to do that.

This same legit company however OWNS that computer, so it is not illegal for them to log in as root.
(It probably would be if they claimed they never would, or permission wasn't agreed upon, but neither is the case)

Re:Feature, not a bug. (4, Insightful)

dissy (172727) | more than 4 years ago | (#31267542)

If I had mod points, I'd bump you up. Your password is your password. Who knows what else a person uses that password for...trying to gain access by using it is tantamount to a phishing scheme. Get your own damn password.

Ironically, the very last sentence is exactly the solution one should use when choosing what password to set on a machine you do not own that others have full and total access to, physically, electronically, and legally.

If you use the same password on two things, a password being a shared secret, clearly both of those things now have that secret and can use it between each other.

Solution? Get your own damn password! :D

Re:Feature, not a bug. (4, Informative)

Thinboy00 (1190815) | more than 4 years ago | (#31267144)

Why not just create an alternate account with sudo for them? Why give them root?

Give them sudo and they can grab root whenever they want:
sudo -i
passwd
[input new password twice]
exit

Re:Feature, not a bug. (1)

Neil Blender (555885) | more than 4 years ago | (#31267216)

Give them sudo and they can grab root whenever they want:/i>

First, why would support change the root password? They can sudo su and get root if you let them.

Second, one nice thing about giving them sudo instead of root is that you can disable/delete the user or change the password. This is preferable to changing the root password after they access it, especially if you have the same root password on dozens of machines.

Re:Feature, not a bug. (4, Insightful)

TubeSteak (669689) | more than 4 years ago | (#31267232)

Give them sudo and they can grab root whenever they want:

I think the point is that they should never have access to your password.
(Which is why TFA mentions that GoDaddy encrypts the passwords instead of using a one way hash)
If they have sudo and reset your root password, they're going to have to explain themselves later.

Re:Feature, not a bug. (1)

Hurricane78 (562437) | more than 4 years ago | (#31267534)

But they won’t be able to know your actual password. Which was the point.
(Of course that ends, as soon as they install a different “passwd” program, and you use it to enter your new password.)

Re:Feature, not a bug. (1)

'Aikanaka (581446) | more than 4 years ago | (#31267560)

whut? What version of sudo do you have installed? That option doesn't exist on my box:

$ sudo -i
sudo: Illegal option -i
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt] [-u username/#uid] -s |

$ sudo -V
Sudo version 1.6.7p5

Re:Feature, not a bug. (0)

Anonymous Coward | more than 4 years ago | (#31267418)

Why don't they just put their own SSH public key in root's authorized_keys file? Surely they have access to the VPS's filesystem...

Re:Feature, not a bug. (5, Interesting)

batrick (1274632) | more than 4 years ago | (#31267148)

A VPS is rented space on hardware in the same way you rent an apartment. You don't own the hardware, but that doesn't mean the host can break into your box whenever he wants. Maybe the contract asserts they have that right (you would be an idiot to contract with them). Use Linode (arguably the best VPS provider in the industry): http://linode.com/ [linode.com] (I am not affiliated with Linode.)

Re:Feature, not a bug. (1)

RoFLKOPTr (1294290) | more than 4 years ago | (#31267402)

When my trivia game was hosted at EV1Servers (now part of The Planet company) I kept my root password on file with them at all times, and quite a few times support logged in and helped me with a problem, like telling me the reason my webserver went down was that the Warnings file in Apache had hit the Linux system limit.

This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.

Nothing to see here... move along.

That would make sense if this was a dedicated server, but this is a VPS. With the two different VM systems I've administered VPSes with (OpenVZ and Xen), you're able to log into any virtual machine as root from the hardware node without a password, negating the need for any of the user's passwords. With OpenVZ it's just `vzctl enter [vpsid]`. There is no reason GoDaddy should be asking for passwords, let alone be automatically probing the VPSes to make sure the passwords on file are correct.

Re:Feature, not a bug. (5, Informative)

Eil (82413) | more than 4 years ago | (#31267668)

I was just about to write the same thing. This was something that was already brought up weeks ago in an Ask Slashdot. People who who don't have much exposure to the web hosting business (and that includes most Slashdotters) don't understand that web hosting falls into two major categories:

1) Unmanaged

2) Managed

Unmanaged hosting means you have full control over all of the software on your machine. (And by "machine" I mean both a real machine and a VPS or cloud node.) Nobody touches your configuration in the slightest once control has been handed over to you. If something goes wrong, including hardware failure, it's the customer's responsibility to notice it and either fix it or get it fixed. Any technical support beyond typical datacenter stuff usually incurs an hourly fee. Unmanaged hosting is ideal for people who want to admin their setup 100% on their own.

Managed hosting means the web hosting provider monitors the machine which can include external probes (checking for a response on various TCP ports) and internal metrics like system load and disk utilization. When a red flag pops up, a technician logs into the machine and tries to fix whatever is happening. You can call them up with all manner of ridiculous requests ("install WordPress for me and apply this theme") and they have to do it because, well, that's what the customers expect with a managed hosting account. Managed hosting is awesome for people who want a web server but don't have the expertise or will to actually configure and maintain it.

What the submitter ran into is that he though he had unmanaged hosting but actually has managed hosting. I don't completely blame him, because a lot of hosting providers don't explicitly state which style they provide. Sometimes it's even hard to tell after you've purchased the product. But its something you have to figure out or else you're going to be deeply dissatisfied with the company's technical support, as the submitter was.

No Surprises Here (4, Interesting)

neoform (551705) | more than 4 years ago | (#31266968)

Not surprising at all.

I had a domain with Godaddy a few years ago when they breached ICANN's rules by threatening to confiscate my domain unless I paid them $200, because I had supposedly breached their TOS.

GoDaddy is not to be trusted.

Re:No Surprises Here (3, Funny)

LostCluster (625375) | more than 4 years ago | (#31267002)

I had supposedly breached their TOS.

What was your alleged offense and how do we know you didn't do it?

Re:No Surprises Here (2, Insightful)

Thinboy00 (1190815) | more than 4 years ago | (#31267174)

They can't take his domain, regardless of the TOS, if I understand his post correctly. IANAL and IANFamiliarWithICANN'sRulesOrTheTOS.

Re:No Surprises Here (5, Interesting)

neoform (551705) | more than 4 years ago | (#31267282)

Someone (falsely) accused me of spamming.

However, even *if* I was a spammer, what right does godaddy have to confiscate my domain? I didn't even have any hosting with them, I just had a domain registered. This is clearly against ICANN policy. Registrars are not arbiters who get to take your domain away because they feel like it.

Re:No Surprises Here (2, Insightful)

shentino (1139071) | more than 4 years ago | (#31267434)

Who exactly would spank them if they did?

Rules are no good unless they can be enforced.

Re:No Surprises Here (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31267010)

Care to include some proof to backup your claim?

Yes, exactly. (0)

Anonymous Coward | more than 4 years ago | (#31267246)

Care to include some proof to backup your claim?

Exactly.

And IF a company tries that BS, start making a LOT of noise and shame the SOBs ro at the very least warn the rest of us so we can put a kibosh on any business.

Re:No Surprises Here (4, Informative)

neoform (551705) | more than 4 years ago | (#31267618)

This was back in 2005, but lucky for me gmail archives everything. ;)

Dear *******,

Thank you for contacting Go Daddy's Spam and Abuse Department.

Go Daddy defines spam as any communication sent to recipients, as an
advertisement or otherwise, without first obtaining prior confirmed consent
to receive these communications from your domain by the recipient. This
includes, but is not limited to, the following:

- Email Messages
- Newsgroup postings
- Windows system messages
- Pop-up messages (aka "adware" or "spyware" messages)
- Instant messages (using AOL, MSN, Yahoo or other instant messenger
programs)
- Online chat room advertisements
- Guestbook or Website Forum postings

It appears that the complaint we've received regard off-topic or
unauthorized email advertisements. A copy of one of the
offending advertisement has attached to this message.

Please keep in mind that it is not our intention to cause anyone's business
to suffer and we do appreciate your cooperating with us on this matter.
Because of your cooperation and willingness to resolve this issue thus far,
your services have not been interrupted, but this situation remains
unresolved.

At this point you have two options available to you, each is outlined below:

----- Option #1: Discontinue all future unauthorized advertising practices.

If you wish to remain a Go Daddy customer and close this matter, you must
reply to abuse@godaddy.com with the following:

1. A statement that you (or your employees, affiliates, 3rd party marketers,
etc.) will no longer advertise or promote your domain name using
unauthorized instant messenger advertisements or any other unauthorized form
of communication.

2. Authorization for GoDaddy.com to charge a $199 non-refundable
administration fee* to the credit card on file for your account.

If you reply with this statement and agree to pay this fee, Go Daddy will
accept, in good faith, your commitment as proof of your desire to correct
this problem.

Please be aware that Go Daddy will continue to monitor this situation. If
after you commit to ceasing this activity it is determined that this problem
persists, your domain name may be immediately redirected and your service
suspended. We realize additional complaints resulting from the posts you
have just committed to stop may come in and we will of course consider this,
and contact you before taking action.

----- Option #2: Transfer your domain name to another registrar.

If option #1 is not agreeable to you, or you are unable to comply with these
terms, you must transfer your domain name to another registrar. We first
require that you pay a $50 administration fee before allowing you to proceed
with your transfer. Again this fee used to offset the costs of "cleaning up"
the outstanding spam complaints against your domain name.

You will need to provide the following in your reply:

1. A statement that you will initiate the transfer of your domain name to a
new registrar within the next 24 hours.

2. Authorization for GoDaddy.com to charge a $50 administration fee* to the
credit card on file for your account.

----

* You may want to log into your Go Daddy account and confirm that the card
on file is valid and has not expired.

-----

*PLEASE NOTE: If you do not follow one of the options outlined above your
domain name may be immediately redirected and your service suspended.

-----

Please let us know what option you choose, thank you for your cooperation.

Sincerely,

Spam and Abuse Department
GoDaddy.com

When I refused both those options (since I had paid for a years worth of registration and didn't feel like paying any penalties, they told me they would change my dns info without my permission).

Re:No Surprises Here (1)

aflag (941367) | more than 4 years ago | (#31267014)

What registrar do you recommend instead?

Re:No Surprises Here (1)

LostCluster (625375) | more than 4 years ago | (#31267096)

And since GoDaddy is aware that their GoDaddy Girls ads gain them some men, but offend some women, they operate several other domain registrar brands that seemingly have no connection.

Re:No Surprises Here (0)

Anonymous Coward | more than 4 years ago | (#31267592)

I'm a fan of Hover (formerly DomainDirect). They're the registrar operated by Tucows, not a reseller. Clean interface (if a touch weird) and absolutely none of the sleazy upselling. Domain privacy comes with the registration, no fearmongering like GoDaddy throws at you.

It's a little more, so if you have hundreds of domains, it might make a dent. Otherwise, it's worth the cost of a mocha at starbucks every year to patronize a business that doesn't come off like used car salesmen.

I'd have thought it was obvious, but... (5, Insightful)

straponego (521991) | more than 4 years ago | (#31266994)

Pro tip: never trust your domain or your business to a company who got its name from a Thrill Kill Kult song and advertises its services with soft-core porn.

Re:I'd have thought it was obvious, but... (1)

interkin3tic (1469267) | more than 4 years ago | (#31267200)

Pro tip: never trust your domain or your business to a company who got its name from a Thrill Kill Kult song and advertises its services with soft-core porn.

That seems like it would depend on what I used my domain for or what my business was. Soft-core porn site? Seems fitting.

Re:I'd have thought it was obvious, but... (1)

steelfood (895457) | more than 4 years ago | (#31267278)

advertises its services with soft-core porn.

Their advertising screams "by geeks for geeks" to me.

Re:I'd have thought it was obvious, but... (0)

Anonymous Coward | more than 4 years ago | (#31267338)

Geek like "good with computers" or geek like "never seen a woman before"?

YES SLASHDOT, THERE'S A DIFFERENCE, IT'S NOT A SETUP

I always wondered what use GoDaddy is (4, Insightful)

beakerMeep (716990) | more than 4 years ago | (#31267000)

They only seem to market themselves by objectifying women and their services don't seem low priced or high quality. Frankly I think they are an embarrassment to the tech world.

Re:I always wondered what use GoDaddy is (2, Funny)

CorporateSuit (1319461) | more than 4 years ago | (#31267028)

They only seem to market themselves by objectifying women.

You're not one of those people who think that "The Office" is an actual documentary, are you?

Re:I always wondered what use GoDaddy is (1)

skuzzlebutt (177224) | more than 4 years ago | (#31267108)

But what about the boobies^H^H^H superbowl commerci^H^H^H quality service they provide?

Re:I always wondered what use GoDaddy is (0)

Anonymous Coward | more than 4 years ago | (#31267260)

Last I checked they were the lowest priced registrar. I agree their other services are not competitively priced, but I don't use them for anything but domain registration.

Should I be using a different registrar for cheap domain registration? Who is cheaper?

Thats scary.... (1)

DJ DeFi (1344863) | more than 4 years ago | (#31267006)

Back up your data and move to a new host...don't forget to change the passwords though!

Re:Thats scary.... (4, Insightful)

sakdoctor (1087155) | more than 4 years ago | (#31267128)

They store all the passwords encrypted, and they can only be retrieved and reversed after a member of the security team opens a ticket and explains the reason for using the password (like to investigate malware)

Look at this epic fail right here. All security bets, are off.

M$ pwnage (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31267036)

Doesn't Microsoft own root on all Windows installs? Where's the uproar from the cows over that?

Re:M$ pwnage (1, Informative)

Anonymous Coward | more than 4 years ago | (#31267316)

Wow, that is the cleverest, most original post I have ever seen on Slashdot. I mean whoa - a negative Microsoft post. Who would have ever though of it? Hats off to you sir!

I wonder... (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31267072)

My understanding is that "VPS" usually implies that you are living in a VM on somebody else's box.

How robust are the various common server operating systems against an attacker breaching the system by either reading or manipulating the VM's state? When your "hard drive" is just a file on somebody else's system, and your RAM is just a block of memory reserved for you by whatever virtualization mechanism is being employed, either could conceivably be read or written without any access to your system through the usual channels(ssh, admin passwords, etc.) If, say, you are using public key authentication, to avoid password attacks entirely, what would stop the VM host from just scribbling their own public key onto the list of approved public keys stored on your filesystem? Or doing something subtler, like scanning your block of RAM to find your SSH daemon, and flipping a few bits to make it interpret your login attempt as valid rather than failed?

Obviously, in theory, you can never win against somebody who controls the hardware(and, with VMs, they don't even need EE skills and an expensive oscilloscope to poke at the hardware, since the "hardware" is actually software). However, theoretical viability and practical doability can be very different animals. In this case, they tried a clumsy password guess, followed by a demand, obviously not uber-hacker material. Has there been any work done, though, on the strengths, weaknesses, and limits of what a VM that doesn't trust its host can do?

Double take (4, Insightful)

syousef (465911) | more than 4 years ago | (#31267080)

We've got a security expert gets an email demanding his root password, and it's all good because they called and said sorry we'll change our policy? HUH? No wonder people are commenting that he's been paid off!!!

Christian morality (0, Troll)

wiredlogic (135348) | more than 4 years ago | (#31267104)

This isn't surprising coming from a company founded on Christian* values.

*The distorted Protestant American version of the faith.

Re:Christian morality (2, Informative)

HikingStick (878216) | more than 4 years ago | (#31267364)

What makes you think GoDaddy is founded on any sort of religious values? The ads don't suggest it.

Re:Christian morality (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31267540)

They have a long standing policy of refusing business with people who promote an agenda that counteracts conservative Christianity. It's impossible to register or get hosting for a pro-choice site with them for instance. Just because they use T&A in their ads doesn't make them even handed. It just shows that they will stoop to any level to attract customers.

Re:Christian morality (1, Insightful)

couchslug (175151) | more than 4 years ago | (#31267470)

"*The distorted Protestant American version of the faith."

Religions should be judged by practice, not theory.

Besides the obvious fact they are fantastic nonsense, the superstitions of the desert are only useful for facilitating oppression and violence.

Color me surprised (1, Funny)

beefnog (718146) | more than 4 years ago | (#31267126)

With a title this inflammatory I could have sworn I was about to read a kdawson piece.

Re:Color me surprised (1)

daveime (1253762) | more than 4 years ago | (#31267472)

Nah, the title would have been "GoDaddy HACKZORED my server".

Completely misleading, check.
Uses the word "hack" inappropriately, check.
Links to other articles about a different branch of the same company, check.

Physical Access (1)

nicolas.kassis (875270) | more than 4 years ago | (#31267236)

They have physical access which means they don't need the root password. The fact that they store the password just shows plain lack of skill or laziness to implement a better access method by their admins. Store the pass where they could potentially be accessed is the issue here. What happens if the database is hacked and the passwords stolen without their knowledge. Insider hacking is also an major issue. Having the root password could allow an attacker to log in and erase all traces easily. Of course it's doable with physical access too but in that case, it's a little more intrusive.

Re:Physical Access (0)

Anonymous Coward | more than 4 years ago | (#31267318)

with physical access they could just reboot the machine and load it up on "Kon-Boot" (google it) and login as a sudo without ever changing any files or leaving any trace.

Actually a good idea (1)

DoofusOfDeath (636671) | more than 4 years ago | (#31267352)

Heck, if their sysadmins are definitely like the chicks in the commercials, I'd definitely give them my "root".

Always seperate hosting, dns, and registeration (3, Interesting)

cenc (1310167) | more than 4 years ago | (#31267356)

As someone that has been around the block with running a lot of web sites (well, a couple thousand at least) for say the last 10 years, I have learned the hard way to not put all your eggs in one basket. Registries come and go, even the big boys (at least service comes and goes, policies change), hosting providers can go bad for all kinds of reasons, and your DNS services are your keys to the castle in terms of just how much damage an outage can do to a buisness (backup DNS severs people).

So? Don't give it to them. (2, Interesting)

Hurricane78 (562437) | more than 4 years ago | (#31267484)

Make a backup of your server, and then tell them that they won’t get it.

If they switch off your server, sue them for extortion, trespassing (in case they entered the server) and damages. [Same rules as with a (business) apartment and a landlord.]

But I personally already had hosters asking me for the root password. I refused. That was it. They did not do anything. (We still had a contract, after all.) Of course they told me that they wouldn’t give me support for the software. But I wouldn’t have wanted that anyway, since on the last managed server, they wrecked my database when one of their idiot admins did “fix” something.

I don’t see the problem. Let them bitch. Tell them to fuck off or you’ll sue. Done.

Imperva FAILS (0)

Anonymous Coward | more than 4 years ago | (#31267504)

Don't they use Imperva for security. I guess it's a testament of how Imperva is a bad choice.

Virus or Malware on Securi blog link!?!? (0)

Anonymous Coward | more than 4 years ago | (#31267582)

Has anyone else noticed that the Securi blog sets off a malware alarm when attempting to access the main site?!?! I'm currently using Avast!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...