egghead.com frightens millions of users with credit card
Dec 23, 2000 - egghead.com emails customers about hacker intrusion ...
... (two weeks pass) Jan 8, 2001 - egghead.com reports no credit
card data stolen
For two weeks customers of this popular electronic
retailer worried that their credit card numbers had been stolen. Rumours
spread quickly to message boards where scores of newbies claimed they had been
charged $10 by a telecom company in Moscow, Russia as a result of the egghead
hack. Cnet, ZDnet, thestreet, and all the other lame shit corporate news sites
speculated that egghead had lost its entire 3.7 million (or 3.5 million, or 2.7
million, depending on the article & publisher) credit card number + address +
shipping address database.
An anti-egghead site, eggheadsucks.com, posted
speculations that the 40-bit ssl encryption egghead.com uses for authentication
was too weak. Let us examine this fully. If the system was accessed by
knowing a 40-bit key, then that would be equivalent to a "password" of about 6
random characters. This is only about a trillion possibilities. The cost of
decrypting such long codes would have cost upwards of a million dollars as
recently as 1995, but I am confident that this has fallen to around $25,000 or
the equivalent of a few hacked boxes.
Anyone who has experimented with RC5
cracking knows that it is always possible to get people to volunteer
their CPU cycles to crack cipher keys. DES, a 56-bit code, was easily cracked.
DES is 65536 times as strong as 40-bit. The only browsers that still max out
at 40-bit encryption are old fucked up windows 3.1 versions of Netscape and IE.
An argument could be made that this was exactly who egghead.com was catering
to. With computer hardware being among the top commodities purchased over the
internet, it is entirely reasonable to assume that some percentage of
egghead.com customers were using some oldschool, barely ssl-capable version of
Netscape or IE, which they were running on a $50 486 they purchased directly
To make matters worse, the only reason cipher code is
limited to 40-bit is because of bunk ass laws in the U.S. about the export of
secure cryptography. The U.S. government even took Phil Zimmerman to court
over the RSA encryption. The excuse the U.S. makes is what if the Cali Cartel,
Iraq, and Bin Laden had 4K RSA encryption, there might be Heroin or Cocaine
selling in the U.S. and nuclear bombs being traded using encrypted usenet
messages. Well, fuck that, anyone who has ever done cocaine or crack knows
that it is not all that bad. Just as anyone who has ever used encryption
probably has scores of disks that they can't even decrypt because they
lost the disk with the GPG key on it.
top it all off, EGGS stock is at an all-time low, selling for well under a
dollar a share. Nobody knows who to blame, eggs for sucking, hackers for being
too sneaky, or customers for being so stupid as to trust a company with their
credit card information. The real culprit is the grand puppeteer of all evil,