Slashdot Mirror
Slashback: Scrambled, Dreams, Stars
Well, there is just one other little thing ... jmorse writes: "In light of the recent attack on Egghead.com, the company is sending this email to its registered customers, claiming that "...Egghead.com's existing security systems interrupted the intrusion while it was in progress, and that customer data has not been compromised." Yet, later in the same email, they admit that "...In addition, reports from the credit card companies with whom we work suggest that fewer than 7,500 credit card accounts registered with us have shown possible fraudulent activity. This is a very small fraction -- less than two tenths of one percent -- of the approximately three million credit cards registered with Egghead.com. " Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."
I think we understand each other, Mr. Bond An unnamed correspondent writes: "This e-mail showed up on the NETBSD/Dreamcast mailing list. Interesting eh?"
Interesting, that is, because it comes (seems to come? can never be too careful these days ... ) from John Byrd, manager of the Developer Technical Support department at Sega of America, who expresses interest in the recent work on Net("runs on 2-stroke oil")BSD for the Sega Dreamcast. Here's the recent Slashdot story on that port.
In it, Byrd says: "Although I can't yet release proprietary technical information publicly, there are other ways we might be able to help out with this sort of project. For example, we may be able to help with testing or verification of compatibility with various revisions of Dreamcast hardware."
Nice to hear, eh?
Mr. Walker played by Jim Carrey Finally, thanks go out to the heroic Starband installer Winston Walker. Regarding the recent story on using Starband's two-way satellite service under Linux and other OSes, Winston expresses himself thusly: "USB to serial for starband is NOT needed. You can use a 9pin to 25pin modem cable. Get rid of ALL the usb stuff on the starband No point in paying 40-50 bucks for that stupid cable (grin)."
Must tend to agree; can anyone else confirm this? Things are looking good for the move to Alpine, Texas, which seems to have some southern sky to spare.
Lest we forget The latest in our series of reprints and reactions to Jon Katz' Hellmouth columns is up.
It is by no means obvious that the transaction that I saw was, in fact, a result of the Egghead "information emission." It could be the result of something else. The questionable transaction is probably not amongst the 7500 that Egghead reported, so it may be that 7500 is a low figure.
If I were to claim that the "evil transaction" (involving some Moscow-based "telecom" company) was a result of Egghead's emission, that represents a potential falsehood. I cannot be certain that there was any relationship. What is certain is that due to the Egghead report, I scrutinized transactions more carefully than usual, and one appeared prominent as a likely fraudulent transaction.
If you're not part of the solution, you're part of the precipitate.
Note that it said possible fraudulent use.
Credit card companies are very paranoid about card usage, and do all sorts of stuff to prevent criminals from getting away with too much.
For example, when my family went to Europe on vacation a couple years ago, MasterCard locked out our accout due to "suspicious activity."
When we got home a week later, we discovered a message on our answering machine asking us about our card usage, recorded on the afternoon that the card was disabled. ("Hello, this is MasterCard. We were calling you at your home in the US to ask you if you are in Europe right now...")
Moral of this story: call your credit card company before you go on vacation. And don't fly British Airways (en route to Heathrow, we were diverted to Montreal because the primary power generator on the plane died and the pilot didn't want to risk flying over the ocean in such a state. Which was good, because the lighting, toilets and air conditioning wasn't working. Didn't even get frequent flyer miles out of it... )
---
The Hotmail addres is my decoy account. I read it approximately once per year.
I don't understand why these companies think it is a "service" to me for them to keep my credit card number on file for a few years. I can understand holding it for 30 or 60 days after the transaction or something, but I haven't bought anything from Egghead in over a year.
I got the e-mail from Egghead. And my card *was* used fraudulently on Nov. 6. I don't know if the two were related, but I strongly doubt Egghead's claims.
--Be human.
Having them on file is not a risk...having them on file *unencrypted* is a risk.
--Be human.
You have obviously completely missed the point of the BSD license. That must explain why you are insulting the intelligence of those who use it by suggesting that they don't understand its implications.
People use the BSD license because they want to propogate the use of quality code. It is open source because that allows it to be improved where quality issues are found, and to facilitate the porting of it to any system, current or future. People release under the BSD license because they _want_ as many people as possible to use their code, for whatever it is found to be useful for.
They don't choose the GNU license for their code because they don't want to prevent their code from being used by anyone who hopes to generate economic activity.
Further, in this case, how would the GNU license prevent Sega from developing Dreamcast titles that run on a Linux kernel ported to Dreamcast (people are working on this)? They would only have to release the source to the kernel, not the game. And they would certainly not be prevented from charging money for a game developed which such a system.
Isn't OSX based on FreeBSD, not NetBSD?
-snippet-
Second, Sega can in principle use this work on NetBSD in official Dreamcast games, much the same way that Apple is using NetBSD as the core for OS X, since NetBSD is free of some of the licensing restrictions of Linux.
-end snippet-
Damn, I gotta pee!
-some goon from No One Lives Forever
Assuming it's the same guy and not an imposter...
It is really him, I just confirmed it via private E-mail.
-jfedor
Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently?
It is well known that credit card theft and fraud occurs for many reasons -- and it could be a coincidence that some victims of credit card fraud are also Egghead customers. Take a random sample of 3 million credit card accounts, and it's quite likely that some of them have been used fraudulently, just by chance. If 7500 cards, or 0.25%, is close to the average fraudulent activity for a random sample, then there is no reason to suspect a correlation with the Egghead break-in -- and we can probably conclude that credit card numbers were not stolen.
Cheers,
IT
Power corrupts. PowerPoint corrupts absolutely.
The "download stopped in progress" really doesn't say a whole lot. How much was transfered before it was shut off? 1mb? 1gb? Quite a bit could be could be transferred in just a matter of minutes. The follow-up question should be, of the amount was transferred, how many of those show potential evidence of fraud, versus those which were not transferred?
Seems to me that we're missing some fairly obvious numbers here. The fact that a very small number show evidence of fraud does not interest me as much as the percentage of the database transferred.
Maybe they're required by law (or by the credit card companies) to store the information for a certain amount of time after the transaction. Do I know? No, but neither do you. Unless you do know, shut up.
Possibly because they believe that those credit cards are fraudulently being used not from being stolen from their site but from just ordinary everyday credit card fraud.
Plus, not all of the cards are being used fraudulently. 7500 cards show possible fraudulent activity. I've been contacted by my credit card company when they thought my card was being used fraudulently when it wasn't, a few years ago my mother was detained at a store because the credit card company wouldn't put the charge through due to possible fraud.
Visa [I think it was visa, we have more than a few credit cards] assumed that my card had been stolen, and denied almost all of the charges. It took a few phone calls to Visa, the companies I ordered parts from, and about a week, to convince Visa that I was actually the person ordering the parts, and that I really did want to buy them ;)
--
Restating the obvious since nineteen aught five.
I have already read some horror stories on 2way satellite, all to do with latency and low connection speeds.. this would just compound to the problem. The point of using USB is to avoid the 'network card' requirement while still providing a fast bandwidth rate into the computer.
just my thoughts.. but i wouldn't suggest doing that...
> "Although I can't yet release proprietary technical information publicly, there are other ways we might be able to help out with this sort of project. For example, we may be able to help with testing or verification of compatibility with various revisions of Dreamcast hardware."
There were reports of Iraq buying up lots of PS2s, but this seems like a much better solution. BSD has an already understood architecture (although it would be running on bizzare hardware), a wide source base (versus almost nothing for the PS2), etc. With the ethernet adaptor being released eventually, these things could probably be more cost effective for clustered processing than PS2s.
I actually do business with Egghead and got their email...but I also know it's posted on their web site somewhere.
I personally like the line that reads (just below what the originall submitter said...I think he's just spreading FUD):
"At this point it is difficult to determine whether any fraudulent activity on this relatively small number of credit cards can be traced back to the attack on our system, or whether it may be the result of credit card theft elsewhere. At this point, the evidence we have gathered to-date suggests that these credit card numbers were NOT obtained from our site."
Stick that in your "Egghead is bad" pipe and smoke it.
While I agree with you (...and Egghead) that their credit card database hasn't been stolen, I don't buy the 7500 out of 3,000,000 arguement. If fradulent activity was taking place on my credit card, it would likely take me a month to find out. Also, if you just stole *3 Million* credit card numbers, how long would it take for you to use them all!
Doh!
As you've no doubt noticed, systems sell for a fairly consistent price over their whole lifetime. So, while maybe each console goes for a $20 or $30 loss right now (or maybe not; consoles are not ALWAYS sold for a loss, only if the company believes that this is necessary to be competitive), in a year their production costs may only be a half of what they are today. Hence, they'll turn a profit over the majority of the life of the console.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
"Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."
Well... I guess you could always read the next sentence...
"At this point it is difficult to determine whether any fraudulent activity on this relatively small number of credit cards can be traced back to the attack on our system, or whether it may be the result of credit card theft elsewhere. At this point, the evidence we have gathered to-date suggests that these credit card numbers were NOT obtained from our site. "
I figure they're embracing it simply because there are so few NetBSD/DC users out there that it couldn't possibly dent their income. I would be surprised if there were more than 1000 NetBSD/DC users worldwide (but hey...who knows)
;-)
So, if they embrace this niche, and help assist the NBSD team create a usable OS, the end-user may pick up a commercial game from time to time, just to have something else to do with his DC...thus actually economically contributing to the system, even if only a little. Perhaps, in time the new generation of gaming APIs will be ported and someone/company may distro a DC game that is NetBSD based. Running a free OS could give the DC enough longevity to possibly see it someday.
Back to reality though, I doubt that many people are going to ever dig into using this setup, simply because it wasn't built to be a workable PC. It will always be cumbersome; at least moreso than a PC.
...but I have to think that if someone could get two NICs into it, it would make a dandy low-profile firewall.
sedawkgrep
Is that a salami in my pants or am I just happy to be me?
Here is a good quote from
http://www.newsbytes.com/pubNews/99/140307.html
Seventy-five percent of online merchants consider credit card fraud to be a concern, yet 41 percent do not know that they are held financially liable when online fraud takes place, according to an independent online fraud survey just published.
Wow, ya think egghead knows that? Or is it in the 41 percent of ignorant businesses?
SDMI: Finally! Music that won't rip or burn! Brought to you by the fine folks at RIAA.
Doesn't work. They up the limit till you have trouble making the monthly minimums.
The truth shall set you free!
They also keep it on file in case someone claims an order is fradulant, they can look up the order, the amount, and where it was shipped. If it was shipped to you, and the shippers confirm it, then they rightly keep the money, however if it was shipped to Russia... you may have a case.
The truth shall set you free!
2 years ago (February of 1999 to be exact) I purchased a Zip drive through Onsale.com. Onsale.com merged with Egghead.com, and then egghead had their site hacked. Egghead sent me an e-mail regarding the matter (which I ignored because I never have had any business directly with them) and they also told my bank. My bank promptly killed my credit card as a security measure (without telling me of course). I discovered the problem when I tried to buy my textbooks using my card. Luckily my bank agreed to reactivate my account for 30 minutes to allow me to purchase my books and they are in the process of sending me a new card. Apparently they killed the ATM function of my card for good measure as well. To make matters worse my grandfather passed away yesterday and not having a credit card made it VERY difficult to get a plane ticket home (I ended up using my younger brothers card). I would like to see a class action suit filed against egghead.com for the trouble they have caused the public. I made the purchase two years ago form another company. Why do they have my credit card number on file? What was that number doing on a machine accessible from the Internet. Egghead.com has a lot to answer for.
This is not a Fugazi
Just as a point of reference, Visa would not be calling you about possible fraudulent card usage. Visa would notify your card issuer (usually a bank) and they would make a decision about notifying you or not. Visa maintains the machine (Sun Ultra 10k, IIRC) that runs the scenarios and tracks usage, but the members, otherwise known as issuers and merchants, are the ones that use that information.
I maintain the global network for Visa, so I know a bit about the subject.
Blaming guns for crime is like blaming keyboards for first posters. More Guns != More Crime
At this point it is difficult to determine whether any fraudulent activity on this relatively small number of credit cards can be traced back to the attack on our system, or whether it may be the result of credit card theft elsewhere. At this point, the evidence we have gathered to-date suggests that these credit card numbers were NOT obtained from our site.
While they are somewhat non-committal in their analysis (a good idea since they have no absolute proof at this point), I think they've done a decent job of informing people who might have been affected. C'mon people: you can read!
This is totally legit. John Byrd does work at Sega, and he did send that email to the NetBSD list.
Greg G.
Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do...
Not if 0.2% of credit cards normally show evidence of fraudulent activity. What they seem to be saying is that there's no reason to believe that Egghead customers are experiencing any more than the usual amount of credit-card fraud.
John Byrd and I both worked for $(MUMBLE_SALT_PILE_MUMBLE), and I've exchanged email with him since his move to Sega. He does indeed support Dreamcast developers. While we disagree about just how much to crack open the specs of the Dreamcast for "arbitrary" development, he's basically a good egg.
Ask him to spill the beans some time on Sega's reaction to Micros~1's XBox announcement, after Sega spent all that effort helping Micros~1 whip WinCE into shape for a console environment...
Schwab
Editor, A1-AAA AmeriCaptions
- "This is a very small fraction --
less than two tenths of one percent -- of the approximately three million credit cards registered with Egghead.com. At this point it is difficult to determine whether any fraudulent activity on this relatively small number of credit cards can be traced back to the attack on our system, or whether it may be the result of credit card theft elsewhere. At this point, the evidence we have gathered to-date suggests that these credit card numbers were NOT obtained from our site.
Editors, be responsible, update the Egghead slashback item.your post disgusts me. BSD is the true spirit of FREE software, it is free to all, including those you don't like. GPL is not free, It is restricted freedom, and I will support 100% unrestricted freedom anyday than restricted freedom. First of all, no company can use your code without giving your credit. Credit means a lot! Yes, it is not money, but having a company give credit to the small guys is a big thing! Probably not for you, since I dobut you are a coder.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
Nice to see that previous posts have pointed out that 7500 cards may be statistically not evidence of a breakin. (Sometimes I think /.'ers go off the handle without thinking -- I like being proven wrong)
Even so, it seems that having 3,000,000 cards on file is a huge security risk, not just for egghead and the customers, but VISA as well. I bet credit card companies start using more temporary number authentication schemes in the future to limit their liability to problems such as this....
-Moondog
I think this is an example of fairly responsible corporate behavior. Egghead has to respond to the needs of the stockholders, their customers, and the FBI. So, given the fine line they must walk, I think that the fact that they sent a letter to the customers informing them of the intrusion is pretty laudable.
Of course, they may have been required to do this. Wow, their stock is barely breathing at 0.53, but it wasn't due to the break-in. They've been tanking steadily since they IPO'd, apparently sometime late in '99.
Are the Egghead Software stores still around? I am pretty sure they aren't. Oh, I see they announced that they were closing their doors and concentrating on e-tailing software in January 98. Too bad... I think they were one of the first successful CompUSA prototpyes.
SDMI: Finally! Music that won't rip or burn! Brought to you by the fine folks at RIAA.
Second, Sega can in principle use this work on NetBSD in official Dreamcast games, much the same way that Apple is using NetBSD as the core for OS X, since NetBSD is free of some of the licensing restrictions of Linux
Im assuming this will get mucho flames from the BSD 31337 but:
The above is the #1 reason I release my code GPL. The reason OSX is based on NetBSD only because it does not have a GNU license. ATTENTION BSD HACKERS if you want your code to swell corporate coffers continue to work on *BSD. If you are interested in freeing (libre) computer users from Corporate Computing Domination continue to hack *BSD. If you are interested in liberating people (ourselves) from corporate computing chains please PLEASE do not work for these slugs who will use your code to make profits for themselves. If you are interested in having someone else profit from your work: hack *BSD.
The BEST aspect of Linux is the viral(sp) nature of GNU. *BSD being an alternative -- but one that can be corporatly co-opted -- is obviously contrary to the major tennants of OpenSource ie the libre portion of free...
This is why I never deploy *BSD ever.
Do I think NetBSD on DC is cool? Yes. Do i 'like' that Sega has an interest in working with an 'open' developer group? Yes. Do I like the idea that *BSD is/has/will become a 'free' code base to subsidize future corporate software projects (why hire people to write our products when we can just steal *BSD code and clean it up & call it our own & sell it for $49.95 on Amazon..) OSX is the major example. The #1 reason that Apple is using *BSD in the backend is that they can get it for free (as in beer) - and *BSD hackers will keep doing bugfixes, implementing features and the like... all for free (gratis). While the their innovative work is kept locked up for themselves -- not exactly a fair exchange between honest parties is it...
The implication that Egghead admitted that 7,500 cases of credit card fraud were tied to the recent hack of its servers is misleading. As the full text of the email makes clear, 7,500 of the credit cards in Egghead's database showed possible signs of fraudulent use when the accounts were examined by the credit card companies. There is no indication that any of those fraudulent uses resulted from access to Egghead's credit card info. Also, the credit card companies tend to take a very liberal view of what constitutes possible fraudulent use, since they often are left with a loss from fraud (unless they can pass off the "charge back" to a merchant). I had an order for a Playstation 2 through mediaplay.com denied by the credit card company because they thought the transaction looked fraudulent for some reason. They notified me by postcard.... One side note: The first notice from Egghead wasn't particularly helpful. It didn't tell you what credit card may have been compromised. If you had more than one, I guess the expected you to either cancel them all or call and get some details.
If SoA is supporting this, does this mean that they just don't realize that people who buy a Dreamcast solely to run NetBSD are costing them money? Or do they take the safer (much safer) guess that someone who bought it for NetBSD would also pick up a couple games? Or are they not selling them at a loss?
-bugg
John Byrd emails and reads the dc-dev mailing list (which I'm on) fairly regularly. The general consensus is that he's legit.
The archives of the list can be found here (not too up to date as Dan Potter, who runs that site, has yet to find a good solution to archiving the list).
For more on dc dev, see Jules' site, which is more or less a good hub site for everything dc dev related.
--Psi
Max, in America, it's customary to drive on the right.
Here is the letter (bold face emphasis is mine):
u estions_login.htm
Dear Customer,
On December 22nd, as a precautionary measure I wrote to inform you of an
attack on our computer systems. Regrettably, until now, we have not been
able to update you or comment publicly on the situation, due to an ongoing
investigation into the matter.
While the FBI investigation is ongoing, I can now give you an update on our
internal investigation, which has uncovered evidence which suggests that
Egghead.com's existing security systems interrupted the intrusion while it
was in progress, and that customer data has not been compromised.
In addition, reports from the credit card companies with whom we work
suggest that fewer than 7,500 credit card accounts registered with us
have shown possible fraudulent activity. This is a very small fraction --
less than two tenths of one percent -- of the approximately three million
credit cards registered with Egghead.com. At this point it is difficult
to determine whether any fraudulent activity on this relatively small
number of credit cards can be traced back to the attack on our system, or
whether it may be the result of credit card theft elsewhere. At this point,
the evidence we have gathered to-date suggests that these credit card
numbers were NOT obtained from our site.
We have heard from many of you, and we thank you for your support and
patience as we continue the complex investigation into this unfortunate
incident. I realize that taking this precautionary measure of informing you
and the credit card companies of the breach resulted in the cancellation of
credit cards, and even embarrassment, for some of you, and we sincerely
apologize for any trouble this may have caused. However, that was the risk
we ran by going public, and it is important to understand that the actions
taken by the credit card issuers were also out of their eagerness to protect
your best interests.
Our first priority has been to protect our customers. We deeply regret
any inconvenience recent events may have caused you, but we believed that
going public with this information would help limit any possible damage,
and give you the choice of taking precautions to protect your privacy. I
believe strongly that this was the prudent and responsible course of action
for our company -- or any company -- faced with this situation.
Through our joint efforts with Kroll Associates over the past few weeks, we
have taken additional steps to reduce the possibility of future incidents by
continuing to strengthen our security measures. This is an ongoing process
that we continue to take very seriously. All of the information that we have
gathered has been turned over to the FBI, which is conducting an ongoing
investigation.
Below is the press release we will be issuing on Monday, January 8th. If
you have questions, please contact our Customer Service Department at
1-800-EGGHEAD (1-800-344-4323), which is open from 5:00 AM - 7:00PM
Pacific Time, Monday through Friday, and 7:00 AM - 3:00 PM Pacific Time,
Saturday and Sunday. You can also send an email by visiting this URL:
https://www.egghead.com/custserv/actreq/general_q
Respectfully,
Jeff Sheahan
President & CEO
Egghead.com, Inc.
Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."
They have three million credit cards in their database. They checked with the credit card companies, and in the past little while, 7,500 of them were used fradulently. That's a very small percentage, and probably typical. Nowhere does it say that this fradulent use was in any way due to Egghead. Having your credit card number stolen online is not the only way to have it used fradulently, people. That pimply kid at the gas station could be copying down your numbers, for all you know.
Now, I know Egghead is a Corporation, and thus obviously guilty of the incredibly heinous act of trying to make money, but couldn't we at least stop trying to make shit up?
Possibly because they believe that those credit cards are fraudulently being used not from being stolen from their site but from just ordinary everyday credit card fraud. Their justification is so low a percentage of the credit cards seem to be fraudulently used that it's comparable to normal percentages of credit card fraud.
What's more likely is that the attackers haven't gotten to use all the credit cards yet ;)
"Anybody who tells me I can't use a program because it's not open source, go suck on rms. I'm not interested." (LT 2004)
This is why I always keep my Credit Cards maxed out. (Plus everybody thinks I'm a good consuemer.)
If you've not already, max out your credit cards today.
M0571y H@rml355.