TUCoPS :: Dialup BBSes :: prodhor.txt

Misc: If you thought PRODIGY was bad before, read THIS! Scary shit!

Article 1143 of comp.org.eff.talk:
Xref: vpnet comp.org.eff.talk:1143 alt.privacy:471 alt.censorship:862
Path: vpnet!tellab5!laidbak!ism.isc.com!ispd-newsserver!uunet!mnemosyne.cs.du.edu!isis.cs.du.edu!sbrack
From: sbrack@isis.cs.du.edu (Steven S. Brack)
Newsgroups: comp.org.eff.talk,alt.privacy,alt.censorship
Subject: Prodigy charged with invading users' privacy (was Re: Lifestyle Information ( was Re: Safeway Stores to Accept Charge)
Message-ID: <1991Apr30.185752.4913@mnemosyne.cs.du.edu>
Date: 30 Apr 91 18:57:52 GMT
References: <Yc17Uk091EAf0UUpBn@rchland.ibm.com> <w010Z2w164w@dogface> <1991Apr20.022809.10259@svc.portal.com> <1991Apr30.143000.17493@cbnewse.att.com> <1991Apr30.184714.4675@mnemosyne.cs.du.edu>
Sender: usenet@mnemosyne.cs.du.edu (netnews admin account)
Reply-To: sbrack@isis.UUCP (Steven S. Brack)
Organization: Nyx, Public Access Unix (sponsored by U. of Denver Math/CS dept.)
Lines: 295
Disclaimer1: Nyx is a public access Unix system run by the University of Denver
Disclaimer2: for the Denver community.  The University has neither control over
Disclaimer3: nor responsibility for the opinions of users.

In article <1991Apr30.184714.4675@mnemosyne.cs.du.edu> sbrack@isis.UUCP (Me)   writes:
>Two articles appeared in comp.dcom.telecom recently:
>
>The first talks about Prodigy apparently uploading information from users
>machines without their knowledge.  This information has included programs,
>legal records, & personal documents.

	===== Start reposted Article =====

From mnemosyne.cs.du.edu!uunet!spool.mu.edu!telecom-request Mon Apr 29 03:48:35 MDT 1991

X-Administrivia-To: telecom-request@eecs.nwu.edu
X-Telecom-Digest: Volume 11, Issue 311, Message 1 of 4

"Mark A. Emanuele" <overlf!emanuele@kb2ear.ampr.org> writes:

I just downloaded this from a local bbs and thought it might be interesting.


 ### BEGIN BBS FILE ###

   218/250: Fraudigy  
   Name: George J Marengo #199 @6974 
   From: The Gangs of Vista (Southern California) 619-758-5920


        The L. A. County District Attorney is formally investigating
PRODIGY for deceptive trade practices.  I have spoken with the
investigator assigned (who called me just this morning, February 22,
1991).

We are free to announce the fact of the investigation.  Anyone can
file a complaint.  From anywhere.

The address is:                                                         

District Attorney's Office                                              
Department of Consumer Protection                                       
Attn: RICH GOLDSTEIN, Investigator                                      
Hall of Records   Room 540
320 West Temple Street                                                  
Los Angeles, CA 90012                                                   

Rich doesn't want phone calls, he wants simple written statements and
copies (no originals) of any relevant documents attached.  He will
call the individuals as needed, he doesn't want his phone ringing off
the hook, but you may call him if it is urgent at 1-213-974-3981.

PLEASE READ THIS SECTION EXTRA CAREFULLY.  YOU NEED NOT BE IN
CALIFORNIA TO FILE!!

        If any of us "locals" want to discuss this, call me at the
Office Numbers: (818) 989-2434; (213) 874-4044.  Remember, the next
time you pay your property taxes, this is what you are supposed to be
getting ... service.  Flat rate?  [laugh] BTW, THE COUNTY IS
REPRESENTING THE STATE OF CALIFORNIA.  This ISN'T limited to L. A.
County and complaints are welcome from ANYWHERE in the Country or the
world. The idea is investigation of specific Code Sections and if a
Nationwide Pattern is shown, all the better.

LARRY ROSENBERG, ATTY


  Prodigy: More of a Prodigy Than We Think? 
  By: Linda Houser Rohbough                                    


     The stigma that haunts child prodigies is that they are difficult
to get along with, mischievous and occasionally, just flat dangerous,
using innocence to trick us. I wonder if that label fits Prodigy,
Sears and IBM's telecommunications network?

     Those of you who read my December article know that I was tipped
off at COMDEX to look at a Prodigy file, created when Prodigy is
loaded STAGE.DAT. I was told I would find in that file personal
information form my hard disk unrelated to Prodigy.  As you know, I
did find copies of the source code to our product FastTrack, in
STAGE.DAT. The fact that they were there at all gave me the same
feeling of violation as the last time my home was broken into by
burglars.
                                                                          
     I invited you to look at your own STAGE.DAT file, if you're a
Prodigy user, and see if you found anything suspect. Since then I have
had numerous calls with reports of similar finds, everything from
private patient medical information to classified government
information.
                                                                          
     The danger is Prodigy is uploading STAGE.DAT and taking a look at
your private business. Why? My guess is marketing research, which is
expensive through legitimate channels, and unwelcomed by you and I.
The question now is: Is it on purpose, or a mistake?  One caller
theorizes that it is a bug. He looked at STAGE.DAT with a piece of
software he wrote to look at the physical location of data on the hard
disk, and found that his STAGE.DAT file allocated 950,272 bytes of
disk space for storage.
                                                                          
     Prodigy stored information about the sections viewed frequently
and the data needed to draw those screens in STAGE.DAT. Service would
be faster with information stored on the PC rather then the same
information being downloaded from Prodigy each time.
                                                                          
     That's a viable theory because ASCII evidence of those screens
shots can be found in STAGE.DAT, along with AUTOEXEC.BAT and path
information. I am led to belive that the path and system configuration
(in RAM) are diddled with and then restored to previous settings upon
exit. So the theory goes, in allocating that disk space, Prodigy
accidently includes data left after an erasure (As you know, DOS does
not wipe clean the space that deleted files took on the hard disk, but
merely marked the space as vacant in the File Allocation Table.)
                                                                           
     There are a couple of problems with this theory. One is that it
assumes that the space was all allocated at once, meaning all 950,272
bytes were absorbed at one time.  That simply isn't true.  My
STAGE.DAT was 250,000+ bytes after the first time I used Prodigy. The
second assumption is that Prodigy didn't want the personal
information; it was getting it accidently in uploading and downloading
to and from STAGE.DAT. The E-mail controversy with Prodigy throws
doubt upon that. The E-mail controversy started because people were
finding mail they sent with comments about Prodigy or the E-mail,
especially negative ones, didn't ever arrive. Now Prodigy is saying
they don't actually read the mail, they just have the computer scan it
for key terms, and delete those messages because they are responsible
for what happens on Prodigy.
                                                                           
     I received a call from someone from another user group who read
our newsletter and is very involved in telecommunications.  He
installed and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg
disk. Sure enough, upon checking STAGE.DAT he discovered personal data
from his hard disk that could not have been left there after an
erasure. He had a very difficult time trying to get someone at Prodigy
to talk to about this.
                                                                       
                           --------------

Excerpt of email on the above subject:

THERE'S A FILE ON THIS BOARD CALLED 'FRAUDIGY.ZIP' THAT I SUGGEST ALL
WHO USE THE PRODIGY SERVICE TAKE ***VERY*** SERIOUSLY.  THE FILE
DESCRIBES HOW THE PRODIGY SERVICE SEEMS TO SCAN YOUR HARD DRIVE FOR
PERSONAL INFORMATION, DUMPS IT INTO A FILE IN THE PRODIGY
SUB-DIRECTORY CALLED 'STAGE.DAT' AND WHILE YOU'RE WAITING AND WAITING
FOR THAT NEXT MENU COME UP, THEY'RE UPLOADING YOUR STUFF AND LOOKING
AT IT.

     TODAY I WAS IN BABBAGES'S, ECHELON TALKING TO TIM WHEN A
GENTLEMAN WALKED IN, HEARD OUR DISCUSSION, AND PIPED IN THAT HE WAS A
COLUMNIST ON PRODIGY. HE SAID THAT THE INFO FOUND IN 'FRAUDIGY.ZIP'
WAS INDEED TRUE AND THAT IF YOU READ YOUR ON-LINE AGREEMENT CLOSELY,
IT SAYS THAT YOU SIGN ALL RIGHTS TO YOUR COMPUTER AND ITS CONTENTS TO
PRODIGY, IBM & SEARS WHEN YOU AGREE TO THE SERVICE.

     I TRIED THE TESTS SUGGESTED IN 'FRAUDIGY.ZIP' WITH A VIRGIN
'PRODIGY' KIT.  I DID TWO INSTALLATIONS, ONE TO MY OFT USED HARD DRIVE
PARTITION, AND ONE ONTO A 1.2MB FLOPPY.  ON THE FLOPPY VERSION, UPON
INSTALLATION (WITHOUT LOGGING ON), I FOUND THAT THE FILE 'STAGE.DAT'
CONTAINED A LISTING OF EVERY .BAT AND SETUP FILE CONTAINED IN MY 'C:'
DRIVE BOOT DIRECTORY.  USING THE HARD DRIVE DIRECTORY OF PRODIGY THAT
WAS SET UP, I PROCEDED TO LOG ON.  I LOGGED ON, CONSENTED TO THE
AGREEMENT, AND LOGGED OFF. REMEMBER, THIS WAS A VIRGIN SETUP KIT.

     AFTER LOGGING OFF I LOOKED AT 'STAGE.DAT' AND 'CACHE.DAT' FOUND
IN THE PRODIGY SUBDIRECTORY.  IN THOSE FILES, I FOUND POINTERS TO
PERSONAL NOTES THAT WERE BURIED THREE SUB-DIRECTORIES DOWN ON MY
DRIVE, AND AT THE END OF 'STAGE.DAT' WAS AN EXACT IMAGE COPY OF MY
PC-DESKTOP APPOINTMENTS CALENDER.

     CHECK IT OUT FOR YOURSELF.

 ### END OF BBS FILE ###

I had my lawyer check his STAGE.DAT file and he found none other than
CONFIDENTIAL CLIENT INFO in it.

Needless to say he is no longer a Prodigy user.


Mark A. Emanuele   V.P. Engineering  Overleaf, Inc.
218 Summit Ave   Fords, NJ 08863   (908) 738-8486 
emanuele@overlf.UUCP


[Moderator's Note: Thanks very much for sending along this fascinating
report for the readers of TELECOM Digest. I've always said, and still
believe that the proprietors of any online computer service have the
right to run it any way they want -- even into the ground! -- and
that users are free to stay or leave as they see fit. But it is really
disturbing to think that Prodigy has the nerve to ripoff private stuff
belonging to users, at least without telling them. But as I think
about it, *who* would sign up with that service if they had bothered
to read the service contract carefully and had the points in this
article explained in detail?    PAT]


From mnemosyne.cs.du.edu!uunet!spool.mu.edu!mips!pacbell.com!lll-winken!telecom-request Mon Apr 29 03:50:16 MDT 1991

X-Administrivia-To: telecom-request@eecs.nwu.edu
X-Telecom-Digest: Volume 11, Issue 314, Message 5 of 8

"Mark A. Emanuele" <overlf!emanuele@kb2ear.ampr.org> writes:

> I just downloaded this from a local bbs and thought it might be
> interesting.

>   Prodigy: More of a Prodigy Than We Think? 
>   By: Linda Houser Rohbough                                    

>      Those of you who read my December article know that I was tipped
> off at COMDEX to look at a Prodigy file, created when Prodigy is
> loaded STAGE.DAT. I was told I would find in that file personal
> information form my hard disk unrelated to Prodigy.  As you know, I
> did find copies of the source code to our product FastTrack, in
> STAGE.DAT. The fact that they were there at all gave me the same
> feeling of violation as the last time my home was broken into by
> burglars.

The orginal author then speculates:

>  So the theory goes, in allocating that disk space, Prodigy
> accidently includes data left after an erasure (As you know, DOS does
> not wipe clean the space that deleted files took on the hard disk, but
> merely marked the space as vacant in the File Allocation Table.)

>      There are a couple of problems with this theory. One is that it
> assumes that the space was all allocated at once, meaning all 950,272
> bytes were absorbed at one time.  That simply isn't true.  My
> STAGE.DAT was 250,000+ bytes after the first time I used Prodigy. The
> second assumption is that Prodigy didn't want the personal
> information; it was getting it accidently in uploading and downloading
> to and from STAGE.DAT.

I don't think that this explanation has been adequately refuted.  When
I examined my STAGE.DAT, I found lots of "private" information on the
leftover ends of sectors - a sure sign that no erasure of prior
information was being done by the Prodigy software.  Since this is
standard practice in DOS programming we all need to be more careful
about this type of problem.  I am never able to understand folks who
reach in drawer, "erase files from the floppy retrieved", then copy a
file over to the disk to give to me certain that I cannot read what
was on the disk before!  But I digress.

Even the experiments reported later in the posting really don't
discount this explanation.  In that experiment, the user ran from a
floppy based disk, but on a system with a hard disk.  If I were a
Prodigy programmer, I would consider it good programming to look for
scratch space on every device available to me.  If I could find hard
disk scratch space, I would use it.  Then when terminating the program
I might copy it from the hard disk to the floppy so it would be
available to me the next time I ran the program.

Whether the space is allocated all at one point in time, is allowed to
grow, or is allocated and deallocated dynamically matters not at all.
The big problem is that there is always the problem of data from a
previous file being included as parts of a new file.  If you are
concerned about this, you need to get one of the many programs which
really do "erase" the file when it is deleted or encrypt all such
files - be careful, however, about whether your word processor or
compiler doesn't use scratch files that you will need to erase or
encrypt as well.  If you use Windows that uses a disk scratch file for
the support of virtual memory you need to be concerned that something
that was core resident isn't out there on your disk now.

I don't want to maintain that the Prodigy folks are clean here, only
that before we start making chargers that they are actually
intentionally uploading information we need more proof.  Anyone who is
actually interested in this can monitor what is going out to the modem
and then make their charges.  Just because it is in a scratch data set
proves nothing.  Also that their customer reps can't answer any
technical question about their software reveals nothing other than
they are like the telephone company operators we all deal with :-*

I also want to attempt to deal with the rapidly developing urban
legend about the Prodigy censoring.  As far as I am aware of, the
censoring of the "Roosevelt Dimes" message etc were in posting to one
of their "moderated groups" similiar to what Pat does all the time
here :-).  It was not in private e-mail.


     J. Philip Miller, Professor, Division of Biostatistics, Box 8067
	 Washington University Medical School, St. Louis MO 63110
	     phil@wubios.WUstl.edu - Internet  (314) 362-3617
uunet!wuarchive!wubios!phil - UUCP (314)362-2693(FAX)  C90562JM@WUVMD - bitnet

	===== End Reposted Article =====







--
===========================================================================
Steven S. Brack            sbrack@nyx.cs.du.edu  |  I have yet to find a
I am not speaking for the Ohio State University. |  quote good  enough &
Now, if only I could convince them of that  8)   |  short enough.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH