Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!masscomp!calvin!mark From: mark@calvin..westford.ccur.com (Mark Thompson) Newsgroups: comp.sys.amiga.misc Subject: Re: Anyone using prodigy with an AMIGA? (long) Message-ID: <62040@masscomp.westford.ccur.com> Date: 7 May 91 14:32:25 GMT References: <1991May02.160135.20734@convex.com> <1991May5.205134.665@bilver.uucp> <1991May7.001840.8440@bilver.uucp> Sender: news@masscomp.westford.ccur.com Reply-To: mark@calvin.westford.ccur.com (Mark Thompson) Distribution: na Organization: Concurrent Computer Corp. Westford MA. Lines: 142 In article <1991May7.001840.8440@bilver.uucp> alex@bilver.uucp (Alex Matulich) writes: >nj@magnolia.Berkeley.EDU (Narciso Jaramillo) writes: >>alex@bilver.uucp (Alex Matulich) fumed: >> [about Prodigy's STAGE.DAT file] >> Doesn't anybody realize that under MSDOS, when a program allocates >> file space for itself on the hard disk, that space may contain fragments >> of files that used to occupy that space? >What I was trying to say in my somewhat vitriolic post (apologies for >that) was that IF private info is indeed inside STAGE.DAT because >it was already occupying _unused_ hard disk space which got allocated >by Prodigy, THEN the security risk is no fault of Prodigy's -- MS-DOS is >then the culprit causing the security risk. >I think if Prodigy is really stealing data, they aren't doing it through >that STAGE.DAT file. There are better ways. I have not been following this thread so I am sorry if this is old news but here is some info on Prodigy and the STAGE.DAT file that seems to indicate that the above arguments about MS-DOG being at fault are incorrect. Read on if you are interested. | FYI, forwarded to me by a Prodigy user. I reccomend using extreme | caution with this service for the reasons outlined below. | | Prodigy: More of a Prodigy Than We Think? | By: Linda Houser Rohbough | The stigma that haunts child prodigies is that they are difficult | to get along with, mischievous and occasionally, just flat dangerous, | using innocence to trick us. I wonder if that label fits Prodigy, | Sears and IBM's telecommunications network? | | Those of you who read my December article know that I was tipped | off at COMDEX to look at a Prodigy file, created when Prodigy is | loaded STAGE.DAT. I was told I would find in that file personal | information form my hard disk unrelated to Prodigy. As you know, I | did find copies of the source code to our product FastTrack, in | STAGE.DAT. The fact that they were there at all gave me the same | feeling of violation as the last time my home was broken into by | burglars. | | I invited you to look at your own STAGE.DAT file, if you're a | Prodigy user, and see if you found anything suspect. Since then I | have had numerous calls with reports of similar finds, everything from | private patient medical information to classified government | information. | | The danger is Prodigy is uploading STAGE.DAT and taking a look at | your private business. Why? My guess is marketing research, which is | expensive through legitimate channels, and unwelcomed by you and I. | The question now is: Is it on purpose, or a mistake? One caller | theorizes that it is a bug. He looked at STAGE.DAT with a piece of | software he wrote to look at the physical location of data on the hard | disk, and found that his STAGE.DAT file allocated 950,272 bytes of | disk space for storage. | | Prodigy stored information about the sections viewed frequently | and the data needed to draw those screens in STAGE.DAT. Service would | be faster with information stored on the PC rather then the same | information being downloaded >from Prodigy each time. | | That's a viable theory because ASCII evidence of those screens | shots can be found in STAGE.DAT, along with AUTOEXEC.BAT and path | information. I am led to belive that the path and system | configuration (in RAM) are diddled with and then restored to previous | settings upon exit. So the theory goes, in allocating that disk | space, Prodigy accidently includes data left after an erasure (As you | know, DOS does not wipe clean the space that deleted files took on the | hard disk, but merely marked the space as vacant in the File | Allocation Table.) | | There are a couple of problems with this theory. One is that it | assumes that the space was all allocated at once, meaning all 950,272 | bytes were absorbed at one time. That simply isn't true. My | STAGE.DAT was 250,000+ bytes after the first time I used Prodigy. The | second assumption is that Prodigy didn't want the personal | information; it was getting it accidently in uploading and downloading | to and from STAGE.DAT. The E-mail controversy with Prodigy throws | doubt upon that. The E-mail controversy started because people were | finding mail they sent with comments about Prodigy or the E-mail, | especially negative ones, didn't ever arrive. Now Prodigy is saying | they don't actually read the mail, they just have the computer scan it | for key terms, and delete those messages because they are responsible | for what happens on Prodigy. | | I received a call from someone from another user group who read our | newsletter and is very involved in telecommunications. He installed | and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg disk. Sure | enough, upon | checking STAGE.DAT he discovered personal data from his hard disk that | could not have been left there after an erasure. He had a very | difficult time trying to get someone at Prodigy to talk to about this. | | -------------- | | Excerpt of email on the above subject: | | THERE'S A FILE ON THIS BOARD CALLED 'FRAUDIGY.ZIP' THAT I SUGGEST ALL | WHO USE THE PRODIGY SERVICE TAKE ***VERY*** SERIOUSLY. THE FILE | DESCRIBES HOW THE PRODIGY SERVICE SEEMS TO SCAN YOUR HARD DRIVE FOR | PERSONAL INFORMATION, DUMPS IT INTO A FILE IN THE PRODIGY | SUB-DIRECTORY CALLED 'STAGE.DAT' AND WHILE YOU'RE WAITING AND WAITING | FOR THAT NEXT MENU COME UP, THEY'RE UPLOADING YOUR STUFF AND LOOKING | AT IT. | | TODAY I WAS IN BABBAGES'S, ECHELON TALKING TO TIM WHEN A | GENTLEMAN WALKED IN, HEARD OUR DISCUSSION, AND PIPED IN THAT HE WAS A | COLUMNIST ON PRODIGY. HE SAID THAT THE INFO FOUND IN 'FRAUDIGY.ZIP' | WAS INDEED TRUE AND THAT IF YOU READ YOUR ON-LINE AGREEMENT CLOSELY, | IT SAYS THAT YOU SIGN ALL RIGHTS TO YOUR COMPUTER AND ITS CONTENTS TO | PRODIGY, IBM & SEARS WHEN YOU AGREE TO THE SERVICE. | | I TRIED THE TESTS SUGGESTED IN 'FRAUDIGY.ZIP' WITH A VIRGIN | 'PRODIGY' KIT. I DID TWO INSTALLATIONS, ONE TO MY OFT USED HARD DRIVE | PARTITION, AND ONE ONTO A 1.2MB FLOPPY. ON THE FLOPPY VERSION, UPON | INSTALLATION (WITHOUT LOGGING ON), I FOUND THAT THE FILE 'STAGE.DAT' | CONTAINED A LISTING OF EVERY .BAT AND SETUP FILE CONTAINED IN MY 'C:' | DRIVE BOOT DIRECTORY. USING THE HARD DRIVE DIRECTORY OF PRODIGY THAT | WAS SET UP, I PROCEDED TO LOG ON. I LOGGED ON, CONSENTED TO THE | AGREEMENT, AND LOGGED OFF. REMEMBER, THIS WAS A VIRGIN SETUP KIT. | | AFTER LOGGING OFF I LOOKED AT 'STAGE.DAT' AND 'CACHE.DAT' FOUND | IN THE PRODIGY SUBDIRECTORY. IN THOSE FILES, I FOUND POINTERS TO | PERSONAL NOTES THAT WERE BURIED THREE SUB-DIRECTORIES DOWN ON MY | DRIVE, AND AT THE END OF 'STAGE.DAT' WAS AN EXACT IMAGE COPY OF MY | PC-DESKTOP APPOINTMENTS CALENDER. | | CHECK IT OUT FOR YOURSELF. | | ### END OF BBS FILE ### | | I had my lawyer check his STAGE.DAT file and he found none other than | CONFIDENTIAL CLIENT INFO in it. | | Needless to say he is no longer a Prodigy user. end of forwarded message %~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~% % ` ' Mark Thompson CONCURRENT COMPUTER % % --==* RADIANT *==-- mark@westford.ccur.com Principal Graphics % % ' Image ` ...!uunet!masscomp!mark Hardware Architect % % Productions (508)392-2480 (603)424-1829 & General Nuisance % % % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~