[Infowarrior] - More on: GetAmnesty.com: MPAA Extortion at its Finest

Richard Forno rforno at infowarrior.org
Tue Aug 28 17:52:41 UTC 2007 

------ Forwarded Message
From: security curmudgeon <jericho at attrition.org>
Date: Tue, 28 Aug 2007 17:47:47 +0000 (UTC)

: GetAmnesty.com: MPAA Extortion at its Finest
: Written by Ernesto on August 27, 2007
: http://torrentfreak.com/getamnestycom-mpaa-extortion-at-its-finest/
: 
: The MPAA and their fellow anti-piracy organizations send out thousands
: of infringement notices. Only a fraction of these are played out in
: court, and those that do make it into court are settled at an early
: stage. So why not circumvent the whole legal system, and gently coerce
: people to pay for ³amnesty²?

When another site like this first came up there was some discussion and
laughs. Looking at this one, a few things to point out in no particular
order:

- Privacy policy refers to the people using the site as 'customers'. If
  the masses are 'customers', can we now file complaints against them to
  the BBB?

- Privacy policy says "We will never share, sell, or rent your personal
  information with third parties for their promotional use. Occasionally,
  we enter into contracts with third parties so that they can assist us in
  servicing you (for example, providing customer service)." IANAL but that
  seems to contradict itself.

- 'Sign In' is all over HTTP, no encryption used. Reading back to the
  Privacy Policy they say "SECURITY - We take every precaution to protect
  the confidentiality and security of your personal information.." It
  further says "When we ask for sensitive information, such as credit card
  numbers, we protect it through the use of encryption during
  transmission, such as the Secure Socket Layer (SSL) protocol." So that
  means the "Notice ID" and "Password" are not considered sensitive to
  them. If you are entering an agreement with a third party like this, to
  avoid legal proceedings, wouldn't you want some assurance that all of
  this is encrypted when sent to their server?

- They accept Vias, MasterCard and AmEx. I wonder if they are PCI
  compliant? (I'd guess no based on the issues I see on the site just
  browsing around)

- The Terms of Service page has typos, doesn't href link URLs, etc. Worse,
  for 'Modification of Terms' they say "To make your review more
  convenient, we will post a version number or date at the bottom of this
  page." However, on http://getamnesty.com/index.php?p=terms and
  http://www.getamnesty.com/tos.html there is no such number to
  distinguish when it was last modified.

- Useful links has a single link, and surprisingly not to the MPAA/RIAA.

- They are running Apache 1.3.37, mod_fastcgi 2.4.2, mod_auth_passthrough
  1.8, mod_log_bytes 1.2, mod_bwlimited 1.4, FrontPage 5.0.2.2635.SR1.2,
  mod_ssl 2.8.28, OpenSSL 0.9.7a and PHP-CGI 0.1b. Oh, they are powered by
  PHP 5.1.6 too.

More information about the Infowarrior mailing list