Slashdot Mirror
Slashback: Scrambled, Dreams, Stars
Well, there is just one other little thing ... jmorse writes: "In light of the recent attack on Egghead.com, the company is sending this email to its registered customers, claiming that "...Egghead.com's existing security systems interrupted the intrusion while it was in progress, and that customer data has not been compromised." Yet, later in the same email, they admit that "...In addition, reports from the credit card companies with whom we work suggest that fewer than 7,500 credit card accounts registered with us have shown possible fraudulent activity. This is a very small fraction -- less than two tenths of one percent -- of the approximately three million credit cards registered with Egghead.com. " Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."
I think we understand each other, Mr. Bond An unnamed correspondent writes: "This e-mail showed up on the NETBSD/Dreamcast mailing list. Interesting eh?"
Interesting, that is, because it comes (seems to come? can never be too careful these days ... ) from John Byrd, manager of the Developer Technical Support department at Sega of America, who expresses interest in the recent work on Net("runs on 2-stroke oil")BSD for the Sega Dreamcast. Here's the recent Slashdot story on that port.
In it, Byrd says: "Although I can't yet release proprietary technical information publicly, there are other ways we might be able to help out with this sort of project. For example, we may be able to help with testing or verification of compatibility with various revisions of Dreamcast hardware."
Nice to hear, eh?
Mr. Walker played by Jim Carrey Finally, thanks go out to the heroic Starband installer Winston Walker. Regarding the recent story on using Starband's two-way satellite service under Linux and other OSes, Winston expresses himself thusly: "USB to serial for starband is NOT needed. You can use a 9pin to 25pin modem cable. Get rid of ALL the usb stuff on the starband No point in paying 40-50 bucks for that stupid cable (grin)."
Must tend to agree; can anyone else confirm this? Things are looking good for the move to Alpine, Texas, which seems to have some southern sky to spare.
Lest we forget The latest in our series of reprints and reactions to Jon Katz' Hellmouth columns is up.
Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do...
Not if 0.2% of credit cards normally show evidence of fraudulent activity. What they seem to be saying is that there's no reason to believe that Egghead customers are experiencing any more than the usual amount of credit-card fraud.
John Byrd and I both worked for $(MUMBLE_SALT_PILE_MUMBLE), and I've exchanged email with him since his move to Sega. He does indeed support Dreamcast developers. While we disagree about just how much to crack open the specs of the Dreamcast for "arbitrary" development, he's basically a good egg.
Ask him to spill the beans some time on Sega's reaction to Micros~1's XBox announcement, after Sega spent all that effort helping Micros~1 whip WinCE into shape for a console environment...
Schwab
Editor, A1-AAA AmeriCaptions
- "This is a very small fraction --
less than two tenths of one percent -- of the approximately three million credit cards registered with Egghead.com. At this point it is difficult to determine whether any fraudulent activity on this relatively small number of credit cards can be traced back to the attack on our system, or whether it may be the result of credit card theft elsewhere. At this point, the evidence we have gathered to-date suggests that these credit card numbers were NOT obtained from our site.
Editors, be responsible, update the Egghead slashback item.your post disgusts me. BSD is the true spirit of FREE software, it is free to all, including those you don't like. GPL is not free, It is restricted freedom, and I will support 100% unrestricted freedom anyday than restricted freedom. First of all, no company can use your code without giving your credit. Credit means a lot! Yes, it is not money, but having a company give credit to the small guys is a big thing! Probably not for you, since I dobut you are a coder.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
Nice to see that previous posts have pointed out that 7500 cards may be statistically not evidence of a breakin. (Sometimes I think /.'ers go off the handle without thinking -- I like being proven wrong)
Even so, it seems that having 3,000,000 cards on file is a huge security risk, not just for egghead and the customers, but VISA as well. I bet credit card companies start using more temporary number authentication schemes in the future to limit their liability to problems such as this....
-Moondog
I think this is an example of fairly responsible corporate behavior. Egghead has to respond to the needs of the stockholders, their customers, and the FBI. So, given the fine line they must walk, I think that the fact that they sent a letter to the customers informing them of the intrusion is pretty laudable.
Of course, they may have been required to do this. Wow, their stock is barely breathing at 0.53, but it wasn't due to the break-in. They've been tanking steadily since they IPO'd, apparently sometime late in '99.
Are the Egghead Software stores still around? I am pretty sure they aren't. Oh, I see they announced that they were closing their doors and concentrating on e-tailing software in January 98. Too bad... I think they were one of the first successful CompUSA prototpyes.
SDMI: Finally! Music that won't rip or burn! Brought to you by the fine folks at RIAA.
Second, Sega can in principle use this work on NetBSD in official Dreamcast games, much the same way that Apple is using NetBSD as the core for OS X, since NetBSD is free of some of the licensing restrictions of Linux
Im assuming this will get mucho flames from the BSD 31337 but:
The above is the #1 reason I release my code GPL. The reason OSX is based on NetBSD only because it does not have a GNU license. ATTENTION BSD HACKERS if you want your code to swell corporate coffers continue to work on *BSD. If you are interested in freeing (libre) computer users from Corporate Computing Domination continue to hack *BSD. If you are interested in liberating people (ourselves) from corporate computing chains please PLEASE do not work for these slugs who will use your code to make profits for themselves. If you are interested in having someone else profit from your work: hack *BSD.
The BEST aspect of Linux is the viral(sp) nature of GNU. *BSD being an alternative -- but one that can be corporatly co-opted -- is obviously contrary to the major tennants of OpenSource ie the libre portion of free...
This is why I never deploy *BSD ever.
Do I think NetBSD on DC is cool? Yes. Do i 'like' that Sega has an interest in working with an 'open' developer group? Yes. Do I like the idea that *BSD is/has/will become a 'free' code base to subsidize future corporate software projects (why hire people to write our products when we can just steal *BSD code and clean it up & call it our own & sell it for $49.95 on Amazon..) OSX is the major example. The #1 reason that Apple is using *BSD in the backend is that they can get it for free (as in beer) - and *BSD hackers will keep doing bugfixes, implementing features and the like... all for free (gratis). While the their innovative work is kept locked up for themselves -- not exactly a fair exchange between honest parties is it...
The implication that Egghead admitted that 7,500 cases of credit card fraud were tied to the recent hack of its servers is misleading. As the full text of the email makes clear, 7,500 of the credit cards in Egghead's database showed possible signs of fraudulent use when the accounts were examined by the credit card companies. There is no indication that any of those fraudulent uses resulted from access to Egghead's credit card info. Also, the credit card companies tend to take a very liberal view of what constitutes possible fraudulent use, since they often are left with a loss from fraud (unless they can pass off the "charge back" to a merchant). I had an order for a Playstation 2 through mediaplay.com denied by the credit card company because they thought the transaction looked fraudulent for some reason. They notified me by postcard.... One side note: The first notice from Egghead wasn't particularly helpful. It didn't tell you what credit card may have been compromised. If you had more than one, I guess the expected you to either cancel them all or call and get some details.
I asked egghead specifically about this problem: Their reply:
Dear Joshua Wand,
We'd like to update you regarding your customer service request xxxxxxxx.
While we are able to remove your credit card number from your account and our customer files, if you have placed an order with us, the credit card number will remain on record with that transaction. We are required by credit card agreements to maintain these financial transactions. This information is also used when crediting or refunding your order. Please be assured we have taken significant measures to ensure this data is stored in a highly secure environment.
While the FBI investigation is still ongoing, we can now give you an update on our internal investigation, which has uncovered evidence which suggests that Egghead.com's existing security systems interrupted the intrusion while it was in progress, and that customer data has NOT been compromised.
Through our joint efforts with Kroll Associates over the past few weeks, we have taken additional steps to reduce the possibility of future incidents by continuing to strengthen our security measures. This is an ongoing process that we continue to take very seriously.
Sincerely,
Dan R
Your Customer Service Representative
If SoA is supporting this, does this mean that they just don't realize that people who buy a Dreamcast solely to run NetBSD are costing them money? Or do they take the safer (much safer) guess that someone who bought it for NetBSD would also pick up a couple games? Or are they not selling them at a loss?
-bugg
John Byrd emails and reads the dc-dev mailing list (which I'm on) fairly regularly. The general consensus is that he's legit.
The archives of the list can be found here (not too up to date as Dan Potter, who runs that site, has yet to find a good solution to archiving the list).
For more on dc dev, see Jules' site, which is more or less a good hub site for everything dc dev related.
--Psi
Max, in America, it's customary to drive on the right.
Here is the letter (bold face emphasis is mine):
u estions_login.htm
Dear Customer,
On December 22nd, as a precautionary measure I wrote to inform you of an
attack on our computer systems. Regrettably, until now, we have not been
able to update you or comment publicly on the situation, due to an ongoing
investigation into the matter.
While the FBI investigation is ongoing, I can now give you an update on our
internal investigation, which has uncovered evidence which suggests that
Egghead.com's existing security systems interrupted the intrusion while it
was in progress, and that customer data has not been compromised.
In addition, reports from the credit card companies with whom we work
suggest that fewer than 7,500 credit card accounts registered with us
have shown possible fraudulent activity. This is a very small fraction --
less than two tenths of one percent -- of the approximately three million
credit cards registered with Egghead.com. At this point it is difficult
to determine whether any fraudulent activity on this relatively small
number of credit cards can be traced back to the attack on our system, or
whether it may be the result of credit card theft elsewhere. At this point,
the evidence we have gathered to-date suggests that these credit card
numbers were NOT obtained from our site.
We have heard from many of you, and we thank you for your support and
patience as we continue the complex investigation into this unfortunate
incident. I realize that taking this precautionary measure of informing you
and the credit card companies of the breach resulted in the cancellation of
credit cards, and even embarrassment, for some of you, and we sincerely
apologize for any trouble this may have caused. However, that was the risk
we ran by going public, and it is important to understand that the actions
taken by the credit card issuers were also out of their eagerness to protect
your best interests.
Our first priority has been to protect our customers. We deeply regret
any inconvenience recent events may have caused you, but we believed that
going public with this information would help limit any possible damage,
and give you the choice of taking precautions to protect your privacy. I
believe strongly that this was the prudent and responsible course of action
for our company -- or any company -- faced with this situation.
Through our joint efforts with Kroll Associates over the past few weeks, we
have taken additional steps to reduce the possibility of future incidents by
continuing to strengthen our security measures. This is an ongoing process
that we continue to take very seriously. All of the information that we have
gathered has been turned over to the FBI, which is conducting an ongoing
investigation.
Below is the press release we will be issuing on Monday, January 8th. If
you have questions, please contact our Customer Service Department at
1-800-EGGHEAD (1-800-344-4323), which is open from 5:00 AM - 7:00PM
Pacific Time, Monday through Friday, and 7:00 AM - 3:00 PM Pacific Time,
Saturday and Sunday. You can also send an email by visiting this URL:
https://www.egghead.com/custserv/actreq/general_q
Respectfully,
Jeff Sheahan
President & CEO
Egghead.com, Inc.
Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."
They have three million credit cards in their database. They checked with the credit card companies, and in the past little while, 7,500 of them were used fradulently. That's a very small percentage, and probably typical. Nowhere does it say that this fradulent use was in any way due to Egghead. Having your credit card number stolen online is not the only way to have it used fradulently, people. That pimply kid at the gas station could be copying down your numbers, for all you know.
Now, I know Egghead is a Corporation, and thus obviously guilty of the incredibly heinous act of trying to make money, but couldn't we at least stop trying to make shit up?
Possibly because they believe that those credit cards are fraudulently being used not from being stolen from their site but from just ordinary everyday credit card fraud. Their justification is so low a percentage of the credit cards seem to be fraudulently used that it's comparable to normal percentages of credit card fraud.
What's more likely is that the attackers haven't gotten to use all the credit cards yet ;)
"Anybody who tells me I can't use a program because it's not open source, go suck on rms. I'm not interested." (LT 2004)
This is why I always keep my Credit Cards maxed out. (Plus everybody thinks I'm a good consuemer.)
If you've not already, max out your credit cards today.
M0571y H@rml355.