Forgot your password?
typodupeerror
News

Slashback: Scrambled, Dreams, Stars 87

Posted by timothy
from the what's-the-current-kernel? dept.
Welcome to another dose of updates and trivia, which tonight means: some more on the large glob of egg on the face of Egghead.com; how to connect to the satellite world a little cheaper, and an unlikely (or maybe not unlikely) source of interest in NetBSD on the Dreamcast.

Well, there is just one other little thing ... jmorse writes: "In light of the recent attack on Egghead.com, the company is sending this email to its registered customers, claiming that "...Egghead.com's existing security systems interrupted the intrusion while it was in progress, and that customer data has not been compromised." Yet, later in the same email, they admit that "...In addition, reports from the credit card companies with whom we work suggest that fewer than 7,500 credit card accounts registered with us have shown possible fraudulent activity. This is a very small fraction -- less than two tenths of one percent -- of the approximately three million credit cards registered with Egghead.com. " Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."

I think we understand each other, Mr. Bond An unnamed correspondent writes: "This e-mail showed up on the NETBSD/Dreamcast mailing list. Interesting eh?"

Interesting, that is, because it comes (seems to come? can never be too careful these days ... ) from John Byrd, manager of the Developer Technical Support department at Sega of America, who expresses interest in the recent work on Net("runs on 2-stroke oil")BSD for the Sega Dreamcast. Here's the recent Slashdot story on that port.

In it, Byrd says: "Although I can't yet release proprietary technical information publicly, there are other ways we might be able to help out with this sort of project. For example, we may be able to help with testing or verification of compatibility with various revisions of Dreamcast hardware."

Nice to hear, eh?

Mr. Walker played by Jim Carrey Finally, thanks go out to the heroic Starband installer Winston Walker. Regarding the recent story on using Starband's two-way satellite service under Linux and other OSes, Winston expresses himself thusly: "USB to serial for starband is NOT needed. You can use a 9pin to 25pin modem cable. Get rid of ALL the usb stuff on the starband No point in paying 40-50 bucks for that stupid cable (grin)."

Must tend to agree; can anyone else confirm this? Things are looking good for the move to Alpine, Texas, which seems to have some southern sky to spare.


Lest we forget The latest in our series of reprints and reactions to Jon Katz' Hellmouth columns is up.

This discussion has been archived. No new comments can be posted.

Slashback: Scrambled, Dreams, Stars

Comments Filter:
  • by Anonymous Coward
    In eight years of having a credit card, I've never had a single fraudulent charge (including five years extensive use on the net).

    Two days after Egghead claims their systems were compromised, what shows up on my card? A nice little $15 transaction from Moscow.

    Egghead either has no idea what they're talking about or are delibarately misleading their customers, because I pretty highly doubt this is a coincidence.
  • by Anonymous Coward
    You may find that the Dreamcast doesn't sell at a loss at all. Sega's Saturn console was expensive to build; they almost certainly sold that at a loss and got burnt badly.

    The Dreamcast is a lot more economical to produce, so there's more chance of Sega selling it at break-even or at a small profit.

    Besides, just because someone is using homebrew software doesn't mean they aren't buying games! Supporting amateur development may likely encourage people to continue using their DC (and purchasing games) for it long after they would have packed it away in the closet otherwise.
  • by Anonymous Coward
    I have purchased from Egghead in the past. Recently (ie this billing cycle) fradulent charges appeared on my card for some telecom company in Moscow, Russia. Has anyone else experienced the same thing?
  • In the U.S. most companies are required to store income records for seven years, and that includes credit card purchase slips or files.

    I still run my limo service credit cards throught the same old manual imprinter and submit charges through the some old XON machine I got 10 years ago, and store the (paper) receipts in a safe.

    If I moved to online credit card processing, I think I'd store my financials on a removable hard drive and put that drive in the safe when I was away from my office.

    - Robin
  • The email from Egghead.com GOES ON TO SAY that, while they have millions and millions of credit cards in their database, there were 7,500 cards that had shown fraudulent useage, though nothing had yet been linked back to the egghead.com breach. Out of any given few million credit cards at any given time, one might reasonably expect to find a few thousand that had some sort of fraudulent activity on them from any given source. Therefore, don't be so quick to jump egghead yet -- at least they are being open about it at this point. Also, read and consider the entire email before jumping to such a conclusion. This isn't at all a contradiction like it is made out in this story to be.

  • Ask him to spill the beans some time on Sega's reaction to Micros~1's XBox announcement, after Sega spent all that effort helping Micros~1 whip WinCE into shape for a console environment...

    And Sega were surprised by this? They thought it was a mutually beneficial arrangement, right? How long ago did Micros~1 do over IBM?

  • by jjoyce (4103)
    Right, especially if those same credit card holders also shop online at a lot of other retailers, which is likely. Who's to say that EggHead's data was stolen and not someone else's?
  • I believe if you read the fine print, they say they keep your card on file. If you dont use it, disable your account. Just like any good unix/linux sys admin would do to a user account that is no longer in use.
  • If fradulent activity was taking place on my credit card, it would likely take me a month to find out.

    damn your card co. must suck, I can call or check my balance online, and see what purchases where made within 24 hours.
  • Gee, according to my dictionary to "interrupt" does mean "to stop" or "to break". I suspect what you might mean is at what point did Egghead's security actually detect and then interrupt the intrusion (e.g. before or after any credit card numbers may have been downloaded).

    I do agree that having all of those credit card numbers stored and so easily accessibly is pretty stupid on Egghead's part. I have to wonder how many other on-line vendors have similar practices. On the other hand, only 7500 instances of potentially fradulent activity among 3 million accounts is pretty low - probably in the 'to be expected' range - after all, how many people use the same credit for a variety of purchases. Theft of credit card numbers isn't restricted to just on-line vendors. But then that assumes fradulently obtained credit cards might be used right away rather than stashed away for later misuse ...

  • Why is that a reason not to fly with BA? It sounds like they were doing the right thing. Every airline has problems now and then.

    FWIW, my experiences with BA have been quite positive. Compare them to United, easily the worst airline I've flown with.
    --

  • Assuming the company does need to retain credit card information for some time after a transaction, that doesn't mean they need to store the information on a well-connected machine. There are much more secure methods of retaining said information.
  • Thanks for the links. My Visa popped up with the same charge as described on fatwallet. I called Citibank, and they went so far as to close the account and issue a new card, which is something I've never seen done for a simple disputed charge.

    I assumed that perhaps this was simply because the charge was from Russia, which is probably on a hot list of countries for CC fraud. This may well be the reason, but I can't help but wonder if they've gotten a rash of this particular charge and know something they aren't telling us yet. But, if that was the case, I would think their fraud detection systems would kick in, so maybe there haven't been enough of these to trigger it.
  • Egghead sent me an e-mail regarding the matter (which I ignored because I never have had any business directly with them) and they also told my bank. My bank promptly killed my credit card as a security measure (without telling me of course).

    This is your bank's fault, not Egghead's.

    I would like to see a class action suit filed against egghead.com for the trouble they have caused the public.

    I guess you would rather not have been informed of a possible security breach.

    Why do they have my credit card number on file?

    I believe they are required by credit card companies to keep that stuff.

    What was that number doing on a machine accessible from the Internet.

    This is a good point. I'd chalk it up to customers valuing convenience over security (until the security is compromised, that is). I had to have a warranty repair done on a TV I bought from 800.com and it was nice to have a record of the order online to print out.
  • > obviously contrary to the major tennants of OpenSource

    "tennant" isn't an English word. "Tenant" is, but I don't think that anyone pays rent to OpenSource in order to live there. I think you mean tennet.

    Grammar Nazi
  • "interrupted the intrusion " It does not say nor imply it stopped it, interrupted it rather. READ READ READ!
  • Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do...

    hmm, maybe those 7500 people shopped elsewhere online. it's not impossible that those credit cards were compromised at another site. the only thing that bothers me is that they apparently can't even read the logs of their own auditing software.

    --
  • 7500 cards out of 3 million is a very very small amount. Perhaps what Egghead is saying is that the amount of fradulent activity shown is within the statistical norms for credit card fraud?
  • Even if the 7500 cards' fraudulent use was not a result of the Egghead hack, it is grossly irresponsible for egghead to store plaintext card numbers. There is very little reason to keep card numbers on file after settlement. I actually don't mind typing the 16 digits in for my added security and peace of mind. While the Slashdot editors should me taken to task for being misleading on this story, Egghead (and Amazon and you name it...) should not be excused for storing card numbers on file.
  • Bah. That's the risk you take by hoarding information, eventually someone's going to get at it.

    I'm a member of an ecomerce site, and I'm glad that I don't have to go through the cleanup panic. Our company keeps the credit card numbers only as long as it takes to charge them, then we throw them out, and we pack the databases on a regular basis.

    It's a funny thing to explain to a customer that relly digs that one-click convenience.

    It's a terrible thing to happen, especially to a pioneer in the field, but that's business.

    --
    Keep all of you eggs in one basket, and WATCH THAT BASKET -- Mark Twain
  • >if you want your code to swell corporate coffers
    >continue to work on *BSD.

    Tell that to RedHat, TurboLinux, SuSe, VA Linux etc.

    Regards, Tommy
  • "Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."

    Isn't that assuming .2% isn't a normal number of illegally used credit cards? It's not like breaking into Egghead's database is the only way to get credit card numbers. A waiter can just copy your credit card # when you hand it to him for Christ's sake. You expose yourself to possible fraudulent use of your credit card, every time you use your credit card.

  • I'll second this. I got a call from my credit card company about a $10 charge looking abnormal, while the $3000 for a new engine never raised a flag....
  • I would be hesitant to come to any such conclusion until people have had an opportunity to review there statements.
    If there hasn't been any reports by mid feb.(more then statistically likely) then I would conclude that none where taken OR perhaps they where copied and just not used, to prove that it could happen.
    we'll never know.
    On a side note, I hate when terms like Stolen, and Taken are used to mean copied.
  • OS X is based on a BSD variant; that's all I know. I could be wrong, but I thought it was based on the Mach-based kernel NextStep used.
  • Sega makes a small profit on each Dreamcast, but not very much. They sell at slightly above cost price.
  • Here is some stats from ecompany.com

    Online merchants experienced fraudulent costs of more than $1.5 billion in 1999, which is equivalent to 10 percent of all online retail sales, according to Deborah Williams, research director of Meridien Research, a high-tech research and consulting firm. "While most online security concerns focus on the consumer, it's the merchants who are getting killed," notes Williams, who fears that Net fraud could grow to $15 billion annually by 2003 unless radical new measures are adopted...

    So it would appear that the percentage quoted is a small number... but it could be a case of apples and oranges.

  • by gwjc (181552)
    Yeah it's all well and good that the manager of the Developer Technical Support is interested but I can just see a hastily drawn team of greedhead Corporhoids sweating it out in a meeting room throwing things up the flagpole like:
    BSD rights, hmmm - Is that ours? who would scuttle or horribly twist any valid effort to assist the OpenSource community.
  • It also stated it could "possibly" be fraudlent activity. Nothing said that there had been fraudlent activity.
  • Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."

    That depends on how this sample compares to the population. Egghead claims 7500 is only .2% of their database. If .2% is also the total of all credit cards in existence that have been used fraudulently, then that's exactly the amount one should expect. Before jumping on them, we need info on credit card use in general.

  • When a rant from a troll (yesterday's "Object Oriented Hype" item) is presented as a serious article, you have to wonder if the submissions are being reviewed by the right (read technically competent) people.

    When Slashdot reports that a large corporation is suing the Freetype project without a shread of evidence, it makes you wonder if anyone at slashdot is even remotely familiar with the term "journalistic integrity".

    Before Slashdot continues to gleefully points out the mistakes of others, they need to get their own house in order. After they finish wiping all the egg off their face, that is.
  • would have been nice. I'm not saying they should have sent the credit card number and expiration date, but perhaps a simple "You used a Visa (**** **** **** 1234) in March 1999 . . . ."
  • I have an additional piece of information. I work for a large educational institution. For small purchases (less that $1000) we have purchasing credit cards. About half the employees in my department have their own cards. Many of them have been used at egghead. About half of those cards had unauthorized transaction from the same company in Russia. Of the card that had not been used at egghead, none had similar transactions. This seems like more than a typical set of unauthorized transactions. Personal cards in the office had the same trend.

    Now given the amount of online ordering that we do, some other database could have been hacked. But it all seems a bit fishy to me. BTW the bank automatically canceled all cards that had been used at Egghead. It would be interesting to see how many transaction were tried after the cards were canceled.

  • "Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."

    Something to consider is that these 7500 credit cards were probably used on other sites, as well. I believe that Egghead was trying to indicate that any issues with these cards were because of other companies (since they claimed that they didn't expose anything).

    I've ordered from Egghead.com before, and I called my credit card company and asked that my number be changed. I'm glad that they have given out infomation about this situation, but I'll be honest that I'm not sure if I will shop there, again. Chances are yes, but I only bought blank CDRs there, anyway (can't seem to find the ones I need - HP - at any B&M stores in my area...)

  • Now with disposable e-mail addresses I just need to find a way to have a disposable shipping address.

    Anyone who owns their own domain and can run their own DNS and sendmail server instantly has disposable email address (e.g. the address I use above is a throw-away).

    They aren't quite unique, but for shipping addresses I use a variation of my name and mailing address (e.g. adding "apt 1" to the house number, using a new middle initial, etc). I once ordered the Victoria Secret catalog under the name "Vicky", and now receive lots of junk mail of stuff like shampoo and perfume samples under that name. :)

  • Actually, this has been a pretty common occurence lately. Check out this [fatwallet.com] thread at fatwallet.com which details many people who were hit by this that did not have any involvement with Egghead.com.

    It would seem, also, that C|Net [cnet.com] is running an investigation on this, and it was profiled in several news stories lately....

  • As for chargebacks, Internet retailers are responsible for chargebacks, since they cannot positively ID a person and CC. In the Brick & Mortar world, as long as you exercise "reasonable precautions" (translated: check the signature), whoever sponsors your merchant account absorbs the chargeback. In non face-to-face orders (eg., Internet, mail-order, phone orders), since it's impossible to do this (except for fax copies, which I think a very few companies still do), most merchant accounts require the retailer to eat the chargebacks.
  • That's why I keep my credit cards maxed out and pretend to have trouble making the monthly minimums! ;)

    ...not paying anything for a year is a definite way to keep them from upping that limit...

  • If you read the story on the starband modem (as posted on slashdot yesterday - sorry no time to find link here) then you would know that the person they were thanking set up a website which showed you how to hack the starband modem. In the hack, one of the instructions is to open the modem up and remove the PCI-USB converter and the usb equipment.

    Hence the rip out the usb shit statement.

    Anyways a more clearer expanation can be explained from the site that describes the hack.

  • encryption does not automagically make things secure. Security guru B. Schienier says security is a process, not a product. (encryption = product). Having an encrypted database of 3,000,000 card numbers just means there is an extra step (or completely different attack) that an attacker has to take.

    Don't get me wrong, encryption is a great idea, but I would trust my CC info to online retailers if I knew deleting my CC# after they no longer needed it was part of their process.

    I have yet to hear a good reason as to why retailers have to keep my CC# long after I have my goods and am satisfied. (So it's easier to buy things in the future is most certainly not a good reason)....

  • Um...nevermind. The link in the Slashback text works now. Before, it just went to the main /. page.
  • Now I'm not the slowest carbon lifeform unit around these days but I don't understand what the Starband quickie was refering to at all. Here I'll quote what I don't get to make it more obvious to everyone:

    "USB to serial for starband is NOT needed. You can use a 9pin to 25pin modem cable."

    Explain this to me? I have never seen a Starband setup, however their webpage states that the way they connect to your computer (unless you bought a Compaq from RatShack) is via a USB device plugged into your PCs USB port.

    I do not get how a 9pin to 25pin serial cable can all of a sudden mate a usb cable to my PC. Not unless its passed through my ass which contains millions of nanites programmed to change the molecular structure of that 9-25pin serial cable into that of a usb to serial cable somehow.

    I am also confused by this statement as well:

    "Get rid of ALL the usb stuff on the starband..."

    If all I am given by Starband is a USB device to connect to the Starband equipment then how the hell can I get rid of it? Explain this to me. Not even ass-nanites could pull this one off far as I can tell.

    So anyone care to help me figure out what the heck they meant by these two quotes? Especially since there are NO URLs pointing to ANYTHING that would explain these statements.

    *sigh*

    My mind is like an endless carnival....only with more CHEESE!

  • Nope. John Byrd does work at Sega, and they are looking at ways to support the NetBSD-Dreamcast port.

    Greg G.

  • I have been an Egghead customer, and recently saw, and reported, one transaction that appeared to be fraudulent.

    It is by no means obvious that the transaction that I saw was, in fact, a result of the Egghead "information emission." It could be the result of something else. The questionable transaction is probably not amongst the 7500 that Egghead reported, so it may be that 7500 is a low figure.

    If I were to claim that the "evil transaction" (involving some Moscow-based "telecom" company) was a result of Egghead's emission, that represents a potential falsehood. I cannot be certain that there was any relationship. What is certain is that due to the Egghead report, I scrutinized transactions more carefully than usual, and one appeared prominent as a likely fraudulent transaction.

  • Note that it said possible fraudulent use.

    Credit card companies are very paranoid about card usage, and do all sorts of stuff to prevent criminals from getting away with too much.

    For example, when my family went to Europe on vacation a couple years ago, MasterCard locked out our accout due to "suspicious activity."

    When we got home a week later, we discovered a message on our answering machine asking us about our card usage, recorded on the afternoon that the card was disabled. ("Hello, this is MasterCard. We were calling you at your home in the US to ask you if you are in Europe right now...")

    Moral of this story: call your credit card company before you go on vacation. And don't fly British Airways (en route to Heathrow, we were diverted to Montreal because the primary power generator on the plane died and the pilot didn't want to risk flying over the ocean in such a state. Which was good, because the lighting, toilets and air conditioning wasn't working. Didn't even get frequent flyer miles out of it... )


    ---
    The Hotmail addres is my decoy account. I read it approximately once per year.
  • After getting bit by the creditcards.com crack and now this Egghead thing I am ready to get one of the American Express disposable card numbers to do all of my shopping. Now with disposable e-mail addresses [sneakemail.com] I just need to find a way to have a disposable shipping address.

    I don't understand why these companies think it is a "service" to me for them to keep my credit card number on file for a few years. I can understand holding it for 30 or 60 days after the transaction or something, but I haven't bought anything from Egghead in over a year.

  • I got the e-mail from Egghead. And my card *was* used fraudulently on Nov. 6. I don't know if the two were related, but I strongly doubt Egghead's claims.
  • Having them on file is not a risk...having them on file *unencrypted* is a risk.
  • You have obviously completely missed the point of the BSD license. That must explain why you are insulting the intelligence of those who use it by suggesting that they don't understand its implications.

    People use the BSD license because they want to propogate the use of quality code. It is open source because that allows it to be improved where quality issues are found, and to facilitate the porting of it to any system, current or future. People release under the BSD license because they _want_ as many people as possible to use their code, for whatever it is found to be useful for.

    They don't choose the GNU license for their code because they don't want to prevent their code from being used by anyone who hopes to generate economic activity.

    Further, in this case, how would the GNU license prevent Sega from developing Dreamcast titles that run on a Linux kernel ported to Dreamcast (people are working on this)? They would only have to release the source to the kernel, not the game. And they would certainly not be prevented from charging money for a game developed which such a system.
  • Isn't OSX based on FreeBSD, not NetBSD?

    -snippet-

    Second, Sega can in principle use this work on NetBSD in official Dreamcast games, much the same way that Apple is using NetBSD as the core for OS X, since NetBSD is free of some of the licensing restrictions of Linux.

    -end snippet-

    Damn, I gotta pee!

    -some goon from No One Lives Forever
  • Assuming it's the same guy and not an imposter...

    It is really him, I just confirmed it via private E-mail.

    -jfedor
  • Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently?

    It is well known that credit card theft and fraud occurs for many reasons -- and it could be a coincidence that some victims of credit card fraud are also Egghead customers. Take a random sample of 3 million credit card accounts, and it's quite likely that some of them have been used fraudulently, just by chance. If 7500 cards, or 0.25%, is close to the average fraudulent activity for a random sample, then there is no reason to suspect a correlation with the Egghead break-in -- and we can probably conclude that credit card numbers were not stolen.

    Cheers,
    IT
  • The "download stopped in progress" really doesn't say a whole lot. How much was transfered before it was shut off? 1mb? 1gb? Quite a bit could be could be transferred in just a matter of minutes. The follow-up question should be, of the amount was transferred, how many of those show potential evidence of fraud, versus those which were not transferred?

    Seems to me that we're missing some fairly obvious numbers here. The fact that a very small number show evidence of fraud does not interest me as much as the percentage of the database transferred.
  • Maybe they're required by law (or by the credit card companies) to store the information for a certain amount of time after the transaction. Do I know? No, but neither do you. Unless you do know, shut up.
  • Possibly because they believe that those credit cards are fraudulently being used not from being stolen from their site but from just ordinary everyday credit card fraud.

    Plus, not all of the cards are being used fraudulently. 7500 cards show possible fraudulent activity. I've been contacted by my credit card company when they thought my card was being used fraudulently when it wasn't, a few years ago my mother was detained at a store because the credit card company wouldn't put the charge through due to possible fraud.
  • Credit card companies, as a rule, pay very close attention to every charge made on their credit cards. I ordered the parts to build a computer system, something I had not done before, all in one hour.

    Visa [I think it was visa, we have more than a few credit cards] assumed that my card had been stolen, and denied almost all of the charges. It took a few phone calls to Visa, the companies I ordered parts from, and about a week, to convince Visa that I was actually the person ordering the parts, and that I really did want to buy them ;)

    --

  • Uh.. ok.. i might be missing something, i'm not too up on the starband as i'm in Canada but wouldn't using a 9/25pin serial cable just slow the whole thing down? max rate on a serial connection is 115kbps (unless they changed the specs and no one told me) so wouldn't that stop your 'max of 400kbps' data rate from hitting the computer? bottleneck??

    I have already read some horror stories on 2way satellite, all to do with latency and low connection speeds.. this would just compound to the problem. The point of using USB is to avoid the 'network card' requirement while still providing a fast bandwidth rate into the computer.

    just my thoughts.. but i wouldn't suggest doing that...

  • > "Although I can't yet release proprietary technical information publicly, there are other ways we might be able to help out with this sort of project. For example, we may be able to help with testing or verification of compatibility with various revisions of Dreamcast hardware."

    There were reports of Iraq buying up lots of PS2s, but this seems like a much better solution. BSD has an already understood architecture (although it would be running on bizzare hardware), a wide source base (versus almost nothing for the PS2), etc. With the ethernet adaptor being released eventually, these things could probably be more cost effective for clustered processing than PS2s.

  • I actually do business with Egghead and got their email...but I also know it's posted on their web site somewhere.
    I personally like the line that reads (just below what the originall submitter said...I think he's just spreading FUD):

    "At this point it is difficult to determine whether any fraudulent activity on this relatively small number of credit cards can be traced back to the attack on our system, or whether it may be the result of credit card theft elsewhere. At this point, the evidence we have gathered to-date suggests that these credit card numbers were NOT obtained from our site."

    Stick that in your "Egghead is bad" pipe and smoke it.


  • While I agree with you (...and Egghead) that their credit card database hasn't been stolen, I don't buy the 7500 out of 3,000,000 arguement. If fradulent activity was taking place on my credit card, it would likely take me a month to find out. Also, if you just stole *3 Million* credit card numbers, how long would it take for you to use them all!
  • As you've no doubt noticed, systems sell for a fairly consistent price over their whole lifetime. So, while maybe each console goes for a $20 or $30 loss right now (or maybe not; consoles are not ALWAYS sold for a loss, only if the company believes that this is necessary to be competitive), in a year their production costs may only be a half of what they are today. Hence, they'll turn a profit over the majority of the life of the console.
  • "Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."

    Well... I guess you could always read the next sentence...

    "At this point it is difficult to determine whether any fraudulent activity on this relatively small number of credit cards can be traced back to the attack on our system, or whether it may be the result of credit card theft elsewhere. At this point, the evidence we have gathered to-date suggests that these credit card numbers were NOT obtained from our site. "
  • I figure they're embracing it simply because there are so few NetBSD/DC users out there that it couldn't possibly dent their income. I would be surprised if there were more than 1000 NetBSD/DC users worldwide (but hey...who knows)

    So, if they embrace this niche, and help assist the NBSD team create a usable OS, the end-user may pick up a commercial game from time to time, just to have something else to do with his DC...thus actually economically contributing to the system, even if only a little. Perhaps, in time the new generation of gaming APIs will be ported and someone/company may distro a DC game that is NetBSD based. Running a free OS could give the DC enough longevity to possibly see it someday.

    Back to reality though, I doubt that many people are going to ever dig into using this setup, simply because it wasn't built to be a workable PC. It will always be cumbersome; at least moreso than a PC.

    ...but I have to think that if someone could get two NICs into it, it would make a dandy low-profile firewall. ;-)

    sedawkgrep
  • Here is a good quote from
    http://www.newsbytes.com/pubNews/99/140307.html

    Seventy-five percent of online merchants consider credit card fraud to be a concern, yet 41 percent do not know that they are held financially liable when online fraud takes place, according to an independent online fraud survey just published.

    Wow, ya think egghead knows that? Or is it in the 41 percent of ignorant businesses?

  • FreeBSD is their "reference platform." When OSX was designed, the layout and system semantics where taken from FreeBSD. In this sense, OSX is "based" on FreeBSD, but there is no other link between FreeBSD and OSX.

    As the other responder suggested, OSX is based (in the traditional sense of building on top of) the Mach kernel, and takes a lot of things from NeXTSTEP.

    A new year calls for a new signature.

  • Doesn't work. They up the limit till you have trouble making the monthly minimums.
  • They also keep it on file in case someone claims an order is fradulant, they can look up the order, the amount, and where it was shipped. If it was shipped to you, and the shippers confirm it, then they rightly keep the money, however if it was shipped to Russia... you may have a case.
  • 2 years ago (February of 1999 to be exact) I purchased a Zip drive through Onsale.com. Onsale.com merged with Egghead.com, and then egghead had their site hacked. Egghead sent me an e-mail regarding the matter (which I ignored because I never have had any business directly with them) and they also told my bank. My bank promptly killed my credit card as a security measure (without telling me of course). I discovered the problem when I tried to buy my textbooks using my card. Luckily my bank agreed to reactivate my account for 30 minutes to allow me to purchase my books and they are in the process of sending me a new card. Apparently they killed the ATM function of my card for good measure as well. To make matters worse my grandfather passed away yesterday and not having a credit card made it VERY difficult to get a plane ticket home (I ended up using my younger brothers card). I would like to see a class action suit filed against egghead.com for the trouble they have caused the public. I made the purchase two years ago form another company. Why do they have my credit card number on file? What was that number doing on a machine accessible from the Internet. Egghead.com has a lot to answer for.
  • Wow. If this is a genuine endorsement of NetBSD/dreamcast from Sega, then I have to give them an enormous amount of respect. Especially for the following quote from the alleged John Byrd:
    I am very interested in NetBSD for Dreamcast for many reasons. ... <snip> ... Fourth, it's cool :)
    By the way, the link above to the original article is wrong. Here [slashdot.org] it is.


  • Just as a point of reference, Visa would not be calling you about possible fraudulent card usage. Visa would notify your card issuer (usually a bank) and they would make a decision about notifying you or not. Visa maintains the machine (Sun Ultra 10k, IIRC) that runs the scenarios and tracks usage, but the members, otherwise known as issuers and merchants, are the ones that use that information.

    I maintain the global network for Visa, so I know a bit about the subject.

  • It would certainly help if people read just a little farther in the letter:

    At this point it is difficult to determine whether any fraudulent activity on this relatively small number of credit cards can be traced back to the attack on our system, or whether it may be the result of credit card theft elsewhere. At this point, the evidence we have gathered to-date suggests that these credit card numbers were NOT obtained from our site.

    While they are somewhat non-committal in their analysis (a good idea since they have no absolute proof at this point), I think they've done a decent job of informing people who might have been affected. C'mon people: you can read!



  • This is totally legit. John Byrd does work at Sega, and he did send that email to the NetBSD list.

    Greg G.

  • by Anonymous Coward on Tuesday January 09, 2001 @03:03PM (#518627)
    Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do...

    Not if 0.2% of credit cards normally show evidence of fraudulent activity. What they seem to be saying is that there's no reason to believe that Egghead customers are experiencing any more than the usual amount of credit-card fraud.
  • by ewhac (5844) on Tuesday January 09, 2001 @04:20PM (#518628) Homepage Journal

    John Byrd and I both worked for $(MUMBLE_SALT_PILE_MUMBLE), and I've exchanged email with him since his move to Sega. He does indeed support Dreamcast developers. While we disagree about just how much to crack open the specs of the Dreamcast for "arbitrary" development, he's basically a good egg.

    Ask him to spill the beans some time on Sega's reaction to Micros~1's XBox announcement, after Sega spent all that effort helping Micros~1 whip WinCE into shape for a console environment...

    Schwab

  • by C.Su (26247) on Tuesday January 09, 2001 @03:46PM (#518629)
    When 20 of the first 25 posts to a slashdot article contains lucid discussion regarding a misrepresentation within the posted article, then you know for certain that there really must be a problem. The poster, and/or submitter, of the Egghead blurb obviously neglected to read the memo that Egghead (most admirably) sent out their customers. As others have already pointed out, the sentences immediately following the one containing the 7,500 figure state:
    • "This is a very small fraction -- less than two tenths of one percent -- of the approximately three million credit cards registered with Egghead.com. At this point it is difficult to determine whether any fraudulent activity on this relatively small number of credit cards can be traced back to the attack on our system, or whether it may be the result of credit card theft elsewhere. At this point, the evidence we have gathered to-date suggests that these credit card numbers were NOT obtained from our site.
    Editors, be responsible, update the Egghead slashback item.
  • by segmond (34052) on Wednesday January 10, 2001 @07:00AM (#518630)
    your post disgusts me. BSD is the true spirit of FREE software, it is free to all, including those you don't like. GPL is not free, It is restricted freedom, and I will support 100% unrestricted freedom anyday than restricted freedom. First of all, no company can use your code without giving your credit. Credit means a lot! Yes, it is not money, but having a company give credit to the small guys is a big thing! Probably not for you, since I dobut you are a coder.

  • by smoondog (85133) on Tuesday January 09, 2001 @04:23PM (#518631)
    Nice to see that previous posts have pointed out that 7500 cards may be statistically not evidence of a breakin. (Sometimes I think /.'ers go off the handle without thinking -- I like being proven wrong) Even so, it seems that having 3,000,000 cards on file is a huge security risk, not just for egghead and the customers, but VISA as well. I bet credit card companies start using more temporary number authentication schemes in the future to limit their liability to problems such as this.... -Moondog
  • by Bluesee (173416) <michaelpatrickkenny.yahoo@com> on Tuesday January 09, 2001 @03:29PM (#518632)
    I think this is an example of fairly responsible corporate behavior. Egghead has to respond to the needs of the stockholders, their customers, and the FBI. So, given the fine line they must walk, I think that the fact that they sent a letter to the customers informing them of the intrusion is pretty laudable.

    Of course, they may have been required to do this. Wow, their stock is barely breathing at 0.53, but it wasn't due to the break-in. They've been tanking steadily since they IPO'd, apparently sometime late in '99.

    Are the Egghead Software stores still around? I am pretty sure they aren't. Oh, I see they announced that they were closing their doors and concentrating on e-tailing software in January 98. Too bad... I think they were one of the first successful CompUSA prototpyes.

  • by SubtleNuance (184325) on Tuesday January 09, 2001 @05:17PM (#518633) Journal
    Second, Sega can in principle use this work on NetBSD in official Dreamcast games, much the same way that Apple is using NetBSD as the core for OS X, since NetBSD is free of some of the licensing restrictions of Linux

    Im assuming this will get mucho flames from the BSD 31337 but:

    The above is the #1 reason I release my code GPL. The reason OSX is based on NetBSD only because it does not have a GNU license. ATTENTION BSD HACKERS if you want your code to swell corporate coffers continue to work on *BSD. If you are interested in freeing (libre) computer users from Corporate Computing Domination continue to hack *BSD. If you are interested in liberating people (ourselves) from corporate computing chains please PLEASE do not work for these slugs who will use your code to make profits for themselves. If you are interested in having someone else profit from your work: hack *BSD.
    The BEST aspect of Linux is the viral(sp) nature of GNU. *BSD being an alternative -- but one that can be corporatly co-opted -- is obviously contrary to the major tennants of OpenSource ie the libre portion of free...

    This is why I never deploy *BSD ever.

    Do I think NetBSD on DC is cool? Yes. Do i 'like' that Sega has an interest in working with an 'open' developer group? Yes. Do I like the idea that *BSD is/has/will become a 'free' code base to subsidize future corporate software projects (why hire people to write our products when we can just steal *BSD code and clean it up & call it our own & sell it for $49.95 on Amazon..) OSX is the major example. The #1 reason that Apple is using *BSD in the backend is that they can get it for free (as in beer) - and *BSD hackers will keep doing bugfixes, implementing features and the like... all for free (gratis). While the their innovative work is kept locked up for themselves -- not exactly a fair exchange between honest parties is it...
  • by smarner (212673) on Tuesday January 09, 2001 @03:10PM (#518634)
    The implication that Egghead admitted that 7,500 cases of credit card fraud were tied to the recent hack of its servers is misleading. As the full text of the email makes clear, 7,500 of the credit cards in Egghead's database showed possible signs of fraudulent use when the accounts were examined by the credit card companies. There is no indication that any of those fraudulent uses resulted from access to Egghead's credit card info. Also, the credit card companies tend to take a very liberal view of what constitutes possible fraudulent use, since they often are left with a loss from fraud (unless they can pass off the "charge back" to a merchant). I had an order for a Playstation 2 through mediaplay.com denied by the credit card company because they thought the transaction looked fraudulent for some reason. They notified me by postcard.... One side note: The first notice from Egghead wasn't particularly helpful. It didn't tell you what credit card may have been compromised. If you had more than one, I guess the expected you to either cancel them all or call and get some details.
  • by joshwa (24288) on Tuesday January 09, 2001 @03:32PM (#518635) Homepage Journal

    I asked egghead specifically about this problem: Their reply:

    Dear Joshua Wand,

    We'd like to update you regarding your customer service request xxxxxxxx.

    While we are able to remove your credit card number from your account and our customer files, if you have placed an order with us, the credit card number will remain on record with that transaction. We are required by credit card agreements to maintain these financial transactions. This information is also used when crediting or refunding your order. Please be assured we have taken significant measures to ensure this data is stored in a highly secure environment.

    While the FBI investigation is still ongoing, we can now give you an update on our internal investigation, which has uncovered evidence which suggests that Egghead.com's existing security systems interrupted the intrusion while it was in progress, and that customer data has NOT been compromised.

    Through our joint efforts with Kroll Associates over the past few weeks, we have taken additional steps to reduce the possibility of future incidents by continuing to strengthen our security measures. This is an ongoing process that we continue to take very seriously.

    Sincerely,

    Dan R

    Your Customer Service Representative

  • by bugg (65930) on Tuesday January 09, 2001 @03:13PM (#518636) Homepage
    It's a widely held belief that gaming companies sell the console at a loss, and then recoup their expenses from the licensing fees that they can charge with an established customer base.

    If SoA is supporting this, does this mean that they just don't realize that people who buy a Dreamcast solely to run NetBSD are costing them money? Or do they take the safer (much safer) guess that someone who bought it for NetBSD would also pick up a couple games? Or are they not selling them at a loss?

  • by PsionicMan (74653) on Tuesday January 09, 2001 @03:46PM (#518637) Homepage
    Assuming it's the same guy and not an imposter...

    John Byrd emails and reads the dc-dev mailing list (which I'm on) fairly regularly. The general consensus is that he's legit.

    The archives of the list can be found here [allusion.net] (not too up to date as Dan Potter, who runs that site, has yet to find a good solution to archiving the list).

    For more on dc dev, see Jules' site [consoledev.com], which is more or less a good hub site for everything dc dev related.

    --Psi

    Max, in America, it's customary to drive on the right.

  • by n7ytd (230708) on Tuesday January 09, 2001 @03:46PM (#518638)
    Here is the letter (bold face emphasis is mine):

    Dear Customer,

    On December 22nd, as a precautionary measure I wrote to inform you of an
    attack on our computer systems. Regrettably, until now, we have not been
    able to update you or comment publicly on the situation, due to an ongoing
    investigation into the matter.

    While the FBI investigation is ongoing, I can now give you an update on our
    internal investigation, which has uncovered evidence which suggests that
    Egghead.com's existing security systems interrupted the intrusion while it
    was in progress, and that customer data has not been compromised.

    In addition, reports from the credit card companies with whom we work
    suggest that fewer than 7,500 credit card accounts registered with us
    have shown possible fraudulent activity. This is a very small fraction --
    less than two tenths of one percent -- of the approximately three million
    credit cards registered with Egghead.com. At this point it is difficult
    to determine whether any fraudulent activity on this relatively small
    number of credit cards can be traced back to the attack on our system, or
    whether it may be the result of credit card theft elsewhere. At this point,
    the evidence we have gathered to-date suggests that these credit card
    numbers were NOT obtained from our site.


    We have heard from many of you, and we thank you for your support and
    patience as we continue the complex investigation into this unfortunate
    incident. I realize that taking this precautionary measure of informing you
    and the credit card companies of the breach resulted in the cancellation of
    credit cards, and even embarrassment, for some of you, and we sincerely
    apologize for any trouble this may have caused. However, that was the risk
    we ran by going public, and it is important to understand that the actions
    taken by the credit card issuers were also out of their eagerness to protect
    your best interests.

    Our first priority has been to protect our customers. We deeply regret
    any inconvenience recent events may have caused you, but we believed that
    going public with this information would help limit any possible damage,
    and give you the choice of taking precautions to protect your privacy. I
    believe strongly that this was the prudent and responsible course of action
    for our company -- or any company -- faced with this situation.

    Through our joint efforts with Kroll Associates over the past few weeks, we
    have taken additional steps to reduce the possibility of future incidents by
    continuing to strengthen our security measures. This is an ongoing process
    that we continue to take very seriously. All of the information that we have
    gathered has been turned over to the FBI, which is conducting an ongoing
    investigation.

    Below is the press release we will be issuing on Monday, January 8th. If
    you have questions, please contact our Customer Service Department at
    1-800-EGGHEAD (1-800-344-4323), which is open from 5:00 AM - 7:00PM
    Pacific Time, Monday through Friday, and 7:00 AM - 3:00 PM Pacific Time,
    Saturday and Sunday. You can also send an email by visiting this URL:

    https://www.egghead.com/custserv/actreq/general_qu estions_login.htm

    Respectfully,

    Jeff Sheahan
    President & CEO
    Egghead.com, Inc.
  • by tbo (35008) on Tuesday January 09, 2001 @03:12PM (#518639) Journal
    Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently? I think Egghead has some more explaining to do..."

    They have three million credit cards in their database. They checked with the credit card companies, and in the past little while, 7,500 of them were used fradulently. That's a very small percentage, and probably typical. Nowhere does it say that this fradulent use was in any way due to Egghead. Having your credit card number stolen online is not the only way to have it used fradulently, people. That pimply kid at the gas station could be copying down your numbers, for all you know.

    Now, I know Egghead is a Corporation, and thus obviously guilty of the incredibly heinous act of trying to make money, but couldn't we at least stop trying to make shit up?
  • by EraseEraseMe (167638) on Tuesday January 09, 2001 @03:05PM (#518640)
    Now, if their security systems stopped the intruders cold, why were 7500 credit cards then used fraudulently?

    Possibly because they believe that those credit cards are fraudulently being used not from being stolen from their site but from just ordinary everyday credit card fraud. Their justification is so low a percentage of the credit cards seem to be fraudulently used that it's comparable to normal percentages of credit card fraud.

    What's more likely is that the attackers haven't gotten to use all the credit cards yet ;)

  • by BLAG-blast (302533) on Tuesday January 09, 2001 @03:25PM (#518641)

    This is why I always keep my Credit Cards maxed out. (Plus everybody thinks I'm a good consuemer.)

    If you've not already, max out your credit cards today.

In any formula, constants (especially those obtained from handbooks) are to be treated as variables.

Working...