Lungbarrow.com

Back to the Cyberculture Archive

To: David Walker 
Subject: comp.risks Prodigy postings
Date: Tue, 30 Apr 91 20:24:13 -0700
From: Stephen D Franklin 
Resent-Date:  Tue, 30 Apr 91 20:24:20 PDT
Resent-From: David Walker 
Resent-To: DWalker@neptune.nts.uci.edu

Here's what Paul was refering to.  Having dug them out for me,
I had to share them with someone who had not seen them. :-)
-- sdf
----------------------------------------------------------------------

Date: Mon, 29 Apr 91 07:31:47 MST
From: the terminal of Geoff Goodfellow 
Subject: Jerry Sweet: [comp.dcom.telecom: Prodigy and GEnie hate and rumors]

------- Forwarded Message

Date:  Sun, 28 Apr 91 22:44:01 MST
From:  Jerry Sweet 
Subject:  [comp.dcom.telecom: Prodigy and GEnie hate and rumors]
To:  "Jerry's Clipping Service":;@fernwood.mpk.ca.us

3 items: 
  - Prodigy or Fraudigy ???
  - Prodigy Questions
  - GEnie Management Acting a la Prodigy Management?

- ------- Forwarded Messages

Date:    26 Apr 91 19:09:50 GMT
From:    overlf!emanuele@kb2ear.ampr.org (Mark A. Emanuele)
Subject: Prodigy or Fraudigy ???

I just downloaded this from a local bbs and thought it might be interesting.


 ### BEGIN BBS FILE ###

   218/250: Fraudigy  
   Name: George J Marengo #199 @6974 
   From: The Gangs of Vista (Southern California) 619-758-5920


        The L. A. County District Attorney is formally investigating PRODIGY
for deceptive trade practices.  I have spoken with the investigator assigned
(who called me just this morning, February 22, 1991).

We are free to announce the fact of the investigation.  Anyone can file a
complaint.  From anywhere.

The address is:                                                         

District Attorney's Office                                              
Department of Consumer Protection                                       
Attn: RICH GOLDSTEIN, Investigator                                      
Hall of Records   Room 540
320 West Temple Street                                                  
Los Angeles, CA 90012                                                   

Rich doesn't want phone calls, he wants simple written statements and
copies (no originals) of any relevant documents attached.  He will
call the individuals as needed, he doesn't want his phone ringing off
the hook, but you may call him if it is urgent at 1-213-974-3981.

PLEASE READ THIS SECTION EXTRA CAREFULLY.  YOU NEED NOT BE IN
CALIFORNIA TO FILE!!

        If any of us "locals" want to discuss this, call me at the Office
Numbers: (818) 989-2434; (213) 874-4044.  Remember, the next time you pay your
property taxes, this is what you are supposed to be getting ... service.  Flat
rate?  [laugh] BTW, THE COUNTY IS REPRESENTING THE STATE OF CALIFORNIA.  This
ISN'T limited to L. A.  County and complaints are welcome from ANYWHERE in the
Country or the world. The idea is investigation of specific Code Sections and
if a Nationwide Pattern is shown, all the better.

LARRY ROSENBERG, ATTY

  Prodigy: More of a Prodigy Than We Think? 
  By: Linda Houser Rohbough                                    

     The stigma that haunts child prodigies is that they are difficult to get
along with, mischievous and occasionally, just flat dangerous, using innocence
to trick us. I wonder if that label fits Prodigy, Sears and IBM's
telecommunications network?

     Those of you who read my December article know that I was tipped off at
COMDEX to look at a Prodigy file, created when Prodigy is loaded STAGE.DAT. I
was told I would find in that file personal information form my hard disk
unrelated to Prodigy.  As you know, I did find copies of the source code to our
product FastTrack, in STAGE.DAT. The fact that they were there at all gave me
the same feeling of violation as the last time my home was broken into by
burglars.
                                                                          
     I invited you to look at your own STAGE.DAT file, if you're a Prodigy
user, and see if you found anything suspect. Since then I have had numerous
calls with reports of similar finds, everything from private patient medical
information to classified government information.
                                                                          
     The danger is Prodigy is uploading STAGE.DAT and taking a look at your
private business. Why? My guess is marketing research, which is expensive
through legitimate channels, and unwelcomed by you and I.  The question now is:
Is it on purpose, or a mistake?  One caller theorizes that it is a bug. He
looked at STAGE.DAT with a piece of software he wrote to look at the physical
location of data on the hard disk, and found that his STAGE.DAT file allocated
950,272 bytes of disk space for storage.
                                                                          
     Prodigy stored information about the sections viewed frequently and the
data needed to draw those screens in STAGE.DAT. Service would be faster with
information stored on the PC rather then the same information being downloaded
from Prodigy each time.
                                                                          
     That's a viable theory because ASCII evidence of those screens shots can
be found in STAGE.DAT, along with AUTOEXEC.BAT and path information. I am led
to belive that the path and system configuration (in RAM) are diddled with and
then restored to previous settings upon exit. So the theory goes, in allocating
that disk space, Prodigy accidently includes data left after an erasure (As you
know, DOS does not wipe clean the space that deleted files took on the hard
disk, but merely marked the space as vacant in the File Allocation Table.)
                                                                           
     There are a couple of problems with this theory. One is that it assumes
that the space was all allocated at once, meaning all 950,272 bytes were
absorbed at one time.  That simply isn't true.  My STAGE.DAT was 250,000+ bytes
after the first time I used Prodigy. The second assumption is that Prodigy
didn't want the personal information; it was getting it accidently in uploading
and downloading to and from STAGE.DAT. The E-mail controversy with Prodigy
throws doubt upon that. The E-mail controversy started because people were
finding mail they sent with comments about Prodigy or the E-mail, especially
negative ones, didn't ever arrive. Now Prodigy is saying they don't actually
read the mail, they just have the computer scan it for key terms, and delete
those messages because they are responsible for what happens on Prodigy.
                                                                           
     I received a call from someone from another user group who read our
newsletter and is very involved in telecommunications.  He installed and ran
Prodigy on a freshly formatted 3.5 inch 1.44 meg disk. Sure enough, upon
checking STAGE.DAT he discovered personal data from his hard disk that could
not have been left there after an erasure. He had a very difficult time trying
to get someone at Prodigy to talk to about this.
                                                                       
                           --------------

Excerpt of email on the above subject:

THERE'S A FILE ON THIS BOARD CALLED 'FRAUDIGY.ZIP' THAT I SUGGEST ALL
WHO USE THE PRODIGY SERVICE TAKE ***VERY*** SERIOUSLY.  THE FILE
DESCRIBES HOW THE PRODIGY SERVICE SEEMS TO SCAN YOUR HARD DRIVE FOR
PERSONAL INFORMATION, DUMPS IT INTO A FILE IN THE PRODIGY
SUB-DIRECTORY CALLED 'STAGE.DAT' AND WHILE YOU'RE WAITING AND WAITING
FOR THAT NEXT MENU COME UP, THEY'RE UPLOADING YOUR STUFF AND LOOKING
AT IT.

     TODAY I WAS IN BABBAGES'S, ECHELON TALKING TO TIM WHEN A
GENTLEMAN WALKED IN, HEARD OUR DISCUSSION, AND PIPED IN THAT HE WAS A
COLUMNIST ON PRODIGY. HE SAID THAT THE INFO FOUND IN 'FRAUDIGY.ZIP'
WAS INDEED TRUE AND THAT IF YOU READ YOUR ON-LINE AGREEMENT CLOSELY,
IT SAYS THAT YOU SIGN ALL RIGHTS TO YOUR COMPUTER AND ITS CONTENTS TO
PRODIGY, IBM & SEARS WHEN YOU AGREE TO THE SERVICE.

     I TRIED THE TESTS SUGGESTED IN 'FRAUDIGY.ZIP' WITH A VIRGIN
'PRODIGY' KIT.  I DID TWO INSTALLATIONS, ONE TO MY OFT USED HARD DRIVE
PARTITION, AND ONE ONTO A 1.2MB FLOPPY.  ON THE FLOPPY VERSION, UPON
INSTALLATION (WITHOUT LOGGING ON), I FOUND THAT THE FILE 'STAGE.DAT'
CONTAINED A LISTING OF EVERY .BAT AND SETUP FILE CONTAINED IN MY 'C:'
DRIVE BOOT DIRECTORY.  USING THE HARD DRIVE DIRECTORY OF PRODIGY THAT
WAS SET UP, I PROCEDED TO LOG ON.  I LOGGED ON, CONSENTED TO THE
AGREEMENT, AND LOGGED OFF. REMEMBER, THIS WAS A VIRGIN SETUP KIT.

     AFTER LOGGING OFF I LOOKED AT 'STAGE.DAT' AND 'CACHE.DAT' FOUND
IN THE PRODIGY SUBDIRECTORY.  IN THOSE FILES, I FOUND POINTERS TO
PERSONAL NOTES THAT WERE BURIED THREE SUB-DIRECTORIES DOWN ON MY
DRIVE, AND AT THE END OF 'STAGE.DAT' WAS AN EXACT IMAGE COPY OF MY
PC-DESKTOP APPOINTMENTS CALENDER.

     CHECK IT OUT FOR YOURSELF.

 ### END OF BBS FILE ###

I had my lawyer check his STAGE.DAT file and he found none other than
CONFIDENTIAL CLIENT INFO in it.

Needless to say he is no longer a Prodigy user.


Mark A. Emanuele   V.P. Engineering  Overleaf, Inc.
218 Summit Ave   Fords, NJ 08863   (908) 738-8486 
emanuele@overlf.UUCP


[Moderator's Note: Thanks very much for sending along this fascinating
report for the readers of TELECOM Digest. I've always said, and still
believe that the proprietors of any online computer service have the
right to run it any way they want -- even into the ground! -- and
that users are free to stay or leave as they see fit. But it is really
disturbing to think that Prodigy has the nerve to ripoff private stuff
belonging to users, at least without telling them. But as I think
about it, *who* would sign up with that service if they had bothered
to read the service contract carefully and had the points in this
article explained in detail?    PAT]

- ------- Message 2

Date:    27 Apr 91 19:53:00 GMT
From:    0004133373@mcimail.com (Donald E. Kimberlin)
Subject: Re: Prodigy Questions

     In article (Digest v11, iss303), Arnette P. Baker  asks:

> I am looking for information on Prodigy.  I am looking into it because
> my parents just bought a PC and are looking for things to do with it
> ...question I have involves e-mail.

     Prodigy's interpretaion of what constitutes "mail," particularly e-mail,
has been a particular point of discussion.  It seems that from the perspective
of a lot of the public, Prodigy wants to have its cake and eat it too, in that
they CHARGE you for its delivery, and then CENSOR anything they don't like.

     Even the Postal Service doesn't look inside your envelope when you mail
something, even though that may be something objectionable.  We can. of course,
understand an electronic bulletin board's System Operator reserving the right
to delete items not in keeping with the Sysop's policies.

     But Prodigy seems to be trying to go a step further, charging you for more
than a minimal amount of transmission, and heavily censoring what it
transports.  This might sound incredible, but the press report I saw at the
peak of public outrage concerned Prodigy censoring a message in which a coin
collector was asking about "Roosevelt dimes."  When he asked the Prodigy staff
why they deleted his mail, the unbelievably stupid retort was that "pro{oting
personalities is prohibited."  When he pressed about what "personality
promotion" was involved with Roosevelt dimes, the more unbelievably stupid
reason was, "Why, Roosevelt Dimes, the Chicago Bears football player, of
course!"  I have NOT made this story up.  I wish I could recall the publication
source to prove it.

     Incidents like this have caused suficient public outcry that Prodigy is
under investigation, as summed up in the following snippet from , 4/22/91:

                      "FAR FROM A PRODIGY"

     (Network World, April 15, p.4) Prodigy Services Co. is being investigated
for possible criminal or civil violations stemming from its electronic-mail
pricing and bulletin board editing policies.  Users are complaining about the
on-line service's recently established 25-cent price tag for every E-mail
message after the first 30 allowed per month; they claim that Prodigy's policy
pf deleting or editing controversial or obscene' (since when are Roosevelt
dimes either controversial OR obscene?) "messages from bulletin boards violates
the First Amendment.  (DA Probes BBS Practices at Prodigy, by Barton
Crockett)."

     My own opinion is that your parents would be best off to assert one of our
few remaining rights, to just take that Prodigy kit and return it to Sears
before they cancel the famous Sears money-bakc guarantee.  There are plenty of
other places to have both bbs recreation and to use "electronic mail" provided
by responsible parties.  Even MCIMail has a deal where your e-mail (of moderate
length) costs only 25 cents per message, while it reaches a far wider range,
including real business.

     And, oh. Compu$erve's "e-mail" to the outside world is really a port to
MCIMail, so why not just open an MCIMail account and buy it direct, and
cheaper?

     All you need to do to help is to get an easy-to-use comms program for
their Sears-bought PS/1 (I recommend BOYAN as a very easy program for beginners
to use, especially if you install it and enter the dialing directory numbers
for them) and introduce them to the world of REAL bbs-ing. In fact, if you get
onto a commercial e-mail service and request it of our Moderator, he can get
the Digest delivered to DOS, MAC or what-have-you there daily!

[Moderator's Note: This is correct. TELECOM Digest can be (and is!) delivered
to almost every commercial email service in the world.  Copies go to MCI Mail,
ATT Mail, Telemail/Sprint Mail, Compuserve, Portal, and many others including
the Telebox Mail system in Germany.  All you have to do is provide me with a
working path to get there.  PAT]

- ------- Message 3

Date:    26 Apr 91 13:56:00 GMT
From:    CRUZ_A@ccl2.eng.ohio-state.edu
Subject: GEnie Management Acting a la Prodigy Management?

Dear Telecom Readers:

In the {MacWeek}, April 16th, 1991, Volume 5, Number 14 issue, there
is a story about a user lockout in the GEnie on-line service:

A Toronto couple requested an explanation of the online service's recent
lockout of members who disagreed publicly with GEnie management.

Linda Kaplan, a GEnie member for more than five years, had both her internal
account and her paid account discontinued last month in what she described as a
series of personality conflicts and escalating misunderstandings.  She said
that GEnie cancelled accounts not on the basis of rules being broken but just
because someone lost their temper.

Apparently, GEnie officials refused to comment on the matter but said
that they would clarify their policies in the future.

Ms. Kaplan had a paid account but she mainly used a systemwide free account
designed to bring in more users.  She said that some account holders were bound
by the secret agreements forbidding them from criticizing GEnie, its sysops or
executives.  She added that friends who inquired about her absence from forums
or who questioned management's handling of the incident either in on-line
forums or private electronic mail found themselves drawn into the fray.

When another long time user, Peter Pawlyschyn, contacted management
and inquired about his rights on the service, he found himself
censored and harassed.

Other members have said that they were reduced to read-only status or had their
accounts cancelled after simply mentioning Kaplan's name in postings.

Soooooo, here we go again with the issue of censoring certain
materials in large online systems.  Or is it really an issue?
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^
Alex Cruz  Associate, Center for Advanced Study in Telecommunications
Consultant, American Airlines Decision Technologies

- ------- End of Forwarded Messages
------- End of Forwarded Message

------------------------------

Date:      Tue, 30 Apr 91 10:24:00 N
From:      Herman J. Woltring 
Subject:   Email, Privacy, and `small print'
Sender:    Biomechanics and Movement Science listserver 

Considering yesterday's issue of the RISKS-Forum Digest (volume 11, No. 56)
on breach of privacy, email censoring, and improper `small print' in contract
clauses, I am reposting part of my note of last February on public access to
email facilities.  [...]

> Date:      Sat, 23 Feb 91 11:10:00 N
> Sender:    Biomechanics and Movement Science listserver 
> From:      Herman J. Woltring" 
> Subject:   Public access to Internet etc.
>
> Dear Biomch-L readers,
>
> While email communication is usually available for free to account holders
> on EARN/BITNET, Internet, etc., (log-on time, disk usage, paper output
> typically being charged), it may be useful to mention that email access is
> also becoming increasingly available through PC and modem facilities by
> telephone [...; typically, number of transmitted bytes and/or logon time
> being charged -- HJW].
>
> Interestingly, one such service (PRODIGY) has been accused of censoring
> email to and from its subscribers.  Whether this allegation is true or
> not, such issues do raise concern about freedom of opinion, free access
> to information, and similar fundamental rights in a networking context,
> especially if (with some justification, perhaps) `network harrassment' is
> used as an argument to counter network `flaming'.  As said at a previous
> occasion: "verba volent, scripta manent" ...

The allegations in RISKS-11.56 against Prodigy and GEnie, two commercial
email service providers in North America, warrant considering the question
whether it is about time that Postal legislation (i.e., postal services are
not entitled to refuse, (unnecessarily) delay, read, or censor your mail,
or to divert it from its destination without a proper court order) shall
also apply to electronic mail, whether through private or public channels.

I do not propose to have this topic as a debate on this list; however, I think
that a pointer to the relevant debate is not out of place even on a discussion
list like ours, and I shall be happy to consider any comments sent to me
privately.  I might mention in this respect that the Dutch legislative is
currently considering a Computer Crime Bill in which unauthorized access to
computers, e.g., by networking, is considered a felony, and that some of the
proposals remind more of the U.K.'s Official Secrets Act than of the U.S.A.'s
Freedom of Information Act.  One heavily debated topic is to what extent
computer trespassing will be declared a criminal offence if no appropriate
security is provided by system management.  If not, private (and public)
interests can afford to neglect system security and yet call upon public
authorities for free to protect their interests once they observe that their
sloppyness has been `used'.  This is unusual in Civil Law as any insurance
company will be happy to point out, and not very compatible with the classical
view that Criminal Law is the Ultimate Resort, `when all else fails'.

Herman J. Woltring, Biomch-L co-moderator & (former) member, Study-committees
on s/w & chips protection / Computer crime, Neth. Society for Computers and Law

------------------------------

Date: Tue, 30 Apr 91 09:43:47 EDT
From: epstein%trwacs@uunet.UU.NET (Jeremy Epstein)
Subject: Prodigy commentary

I found the comments on Prodigy very enlightening.  I'm glad I'm
not a subscriber.  However, I was very concerned by one comment:

>     I invited you to look at your own STAGE.DAT file, if you're a Prodigy
>user, and see if you found anything suspect. Since then I have had numerous
>calls with reports of similar finds, everything from private patient medical
>information to classified government information.

If you have classified government information on your PC, you should
not be using it to call *anywhere* using *any* comm package.  That's
just good sense (and it may even be the law, I'm not sure).

I'm certainly not defending Prodigy...if what was described is accurate,
it certainly sounds like a mass invasion of privacy, theft, and some
nice big lawsuits.  Has any of this made it into the non-technical press
(e.g., Wall Street Journal, NY Times, LA Times).

Jeremy Epstein, Trusted X Research Group, TRW Systems Division, Fairfax
VA   +1 703/876-8776   epstein@trwacs.fp.trw.com

------------------------------

Date: 30 Apr 91 15:18:47 EDT (Tue)
From: tneff@bfmny0.bfm.com (Tom Neff)
Subject: Prodigy and STAGE.DAT strangeness

The simplest explanation for private customer data appearing quasirandomly in
the Prodigy STAGE.DAT file is that the access program may allocate buffers
without clearing them, then write a comparatively little bit of binary data
into them and flush to disk.  The unused buffer areas still contain whatever
was lying around in memory before Prodigy was started, and this "garbage" will
end up on disk.

This neither proves malfeasance or innocence on Prodigy's part; but, at worst,
carelessness.  Clearly their program *could*, if it wished, transmit your
computer's entire memory and/or disk contents back home to the Prodigy host.
And it could do so *without* storing anything in a file like STAGE.DAT!  That's
simply a RISK of accepting some black box piece of software in the mail and
running it.  "Run me," Alice?

------------------------------

Date: Tue, 30 Apr 91 11:32:55 PDT
From: rhartman@thestepchild.esd.sgi.com (Robert Hartman)
Subject: Re: Prodigy, etc. (RISKS-11.56)

WRT the controversies over censoring e-mail and selectively denying service to
customers who complain, there already are some laws that should be applicable.
It seems to me that there's nothing all that different between an e-mail
service and a phone company--except the format of the data being carried. The
various phone and long-distance companies are common carriers, and governed by
FCC rules.  Am I wrong in thinking that a common carrier is not allowed to
interfere with the communications they carry, and that they cannot easedrop
without a court order?  Now, broadcast mail may be open for public scrutiny and
rebuttal, but if a carrier offers a "conference call" service, I don't believe
that they can restrict anyone from using it, or from saying what they like in
the course of such a call.  Bulletin board postings seem to me to be analogous
to conference calls in the same way that private e-mail messages are akin to
private calls.

A sharp lawyer ought to be able to convince a judge or jury in a civil suit
(where a preponderance of evidence is all that is necessary to win) that
Prodigy and the others, in offering their e-mail and BBS services, are
operating as de-facto carriers for electronic communications.  As such, they
should be held accountable under the same rules as any other carrier, and
liable for any breaches.  Esp.  when they are run by large corporations with
legal staffs.  They can't plead ignorance.  I can't understand why they'd risk
legal exposure in this way, not to mention the negative publicity of a trial!

A risk in obtaining such a ruling would be that all BBS operators--at least
those using the phone lines, might have to be licensed.  But then, if there are
enough of them who write enough letters to legislators, a new class of licenses
for "amateur e-mail and BBS carriers" could be mandated.  We could even make it
an automatically-granted license, so long as there is no charge for the
service.

As far as the issue of Prodigy uploading private data goes, this sounds like a
clear case of wire fraud to me.  Wish I were the lawyer to get that case!  Can
you spell "class action?"  I knew you could.  Mr. and Mrs. Middle Class America
will be mightily annoyed if this is true.

------------------------------


Newsgroups: comp.risks
Subject: RISKS DIGEST 11.59
From: risks@CSL.SRI.COM (RISKS Forum)
Date: 1 May 91 23:34:44 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Approved: risks@csl.sri.com
Lines: 417

RISKS-LIST: RISKS-FORUM Digest  Wednesday 1 May 1991  Volume 11 : Issue 59

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  Contents: 
"Losing" a Warehouse (Jane Beckman)
Soon, ATMs May Take Your Photograph, Too (Paul B. Carroll via Michael W.Miller)
Old O/S and Network Security (Bob Estell)
Genie (Chuq Von Rospach)
Prodigy Problem in Major Press (Bill Biesty)
Re: Prodigy (Chuq Von Rospach, A. Padgett Peterson, Mary Culnan, Bill Seurer)

 The RISKS Forum is moderated.  Contributions should be relevant, sound, in 
 good taste, objective, coherent, concise, and nonrepetitious.  Diversity is
 welcome.  CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive 
 "Subject:" line.  Others ignored!  REQUESTS to RISKS-Request@CSL.SRI.COM.  For
 vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW
 CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits).  Vol i
 summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out.
 =CarriageReturn; FTPs may differ; UNIX prompts for username, password.
 If you cannot access "CRVAX.SRI.COM", try Internet address "128.18.10.1".
 ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
 Relevant contributions may appear in the RISKS section of regular issues
 of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

- ----------------------------------------------------------------------

Date: Wed, 1 May 91 16:14:52 PDT
From: jane@stratus.swdc.stratus.com (Jane Beckman)
Subject: "Losing" a Warehouse

I've been meaning to post this for a while, as it is a perfect illustration 
of the hazards of a system that gets too dependant on computer programs.  

In 1989, Mongomery Ward had a sale of "discontinued, one-of-a-kind, and out-
of-date merchandise."  A fellow I was dating, who was a Wards employee, told 
me the story of where it had come from.  Around 1985, Wards had reprogrammed 
their master inventory program.  Somehow, the entry for the major distribution 
warehouse in Redding, California, was left out.  One day, the trucks simply 
stopped coming.  Nothing was brought into the warehouse, and nothing left.  
Paychecks for the employees, however, which were on a different system, kept 
coming.  While this was baffling to the employees, they figured it was better 
not to make waves.  (Rumor has it that they were afraid the warehouse had 
been phased out, and they had "forgotten" to lay them off, and figured it was
better to stay employed.)  They went to work every day, and moved boxes 
around the warehouse, and submitted timecards, for three years, until someone 
doing an audit finally wondered why major amounts of merchandise had simply 
disappeared.  Tracing things back, the missing warehouse was finally re-found. 
They were then stuck with an entire warehouse full of white elephants---
merchandise that was three years out of date.  Thus, Wards stores throughout 
California ended up with major amounts of discontinued merchandise to sell at 
deep discounts.  Wards, being majorly embarrassed, tried to downplay how the 
merchandise was "found."  Or, more specifically, why it had become lost in 
the first place.  

The store employees got a big chuckle over the warehouse employees being 
afraid to mention this oversight to the higher-ups, for fear of becoming 
unemployed.  Many references to "like jobs with the government."  

Of course, the question is: is this the only case like this?  Are there more 
places where an operator entry glitch has caused some function to simply 
disappear?  Things like this happen when live people are accidentally classed 
as "dead," etc.  What happens if someone types the wrong thing, and the local 
branch of your bank, or MacDonalds, or whatever, simply ceases to exist, to 
the central computer?

   Jane Beckman  [jane@swdc.stratus.com]

- ------------------------------

Date: Wed, 1 May 91 08:06:51 pdt
From: mikeym@well.UUCP (Michael W. Miller)
Subject: Soon, ATMs May Take Your Photograph, Too
 
Soon, ATMs May Take Your Photograph, Too,  By Paul B. Carroll,
Wall Street Journal, 25 April 1991, Page B1 (Technology)
 
*Smile* when you use that automated teller machine.  Miniature cameras may soon
become widespread in ATMs and elsewhere.
   At Edinburgh University in Scotland, researchers have produced a single
computer chip that incorporates all the circuitry needed for a video camera.
Even with a lens that fits right on top of the chip, it's still just the size
of a thumbnail. When they become available in a year or so, such cameras may
carry as little as a $40 price tag.
   NCR thinks these tiny cameras could find their way into lots of ATMs in the
next few years. The computer maker already sells ATMs that include cameras,
allowing banks to doublecheck on people who contend their account was debited
even though they didn't use an ATM that day. But those cameras are expensive,
especially because the big box with the electronics has to be so far back in
the ATM that it requires a long, elaborate lens. The lens also gives away to
potential cheats the fact that the camera is there, whereas the new tiny
cameras will just need a pinhole to peep through.
   "We see this as a breakthrough," says Greg Scott, an engineer with NCR in
Dunfermline, Scotland.
   The Scottish Development Agency, which supplied some of the initial research
funds, says the tiny cameras may also find their way into baby monitors,
picture telephones, bar-code readers and robotic vision systems.

- ------------------------------

Date: 1 May 91 07:59:00 PDT
From: "351M::ESTELL" 
Subject: Old O/S and Network Security

For years now, there has been a reasonable solution to the problem of
"an old O/S" and network security: Install a newer, much improved O/S
(WRT network security) _between_ the open network, and the "closed"
community that uses the old O/S to process valuable information.

If you REALLY want security, install a Honeywell SCOMP between the
internet, and your local host, LAN, or whatever; at less cost, and more
risk, install any C2 or better O/S host at that connection site.  Then
the would-be hacker has to penetrate something a bit better than the
"standard out of the box" 5-pin lock that yields in *seconds*.

Such a connection can be layered; e.g., one can put a "C2" host (such as
a DEC VAX running VMS 5.x, with security options turned on) on the
internet, as a MAIL host; then a "B2" (or better) system between that
MAIL machine on the internet, and another MAIL machine on the local
network; and even other "B2" (or better) nodes within the local net
protecting the most "valuable" hosts on it.  This is the electric analog
to the fence around the base, the lock on the building door, the locked
office, and the safe inside the office.

The continuing reluctance of "management" (both "general" and "system") to
adopt this (or other, better) solutions is perhaps one key to the continuing
lack of security.  Are we still "hung up" on the cost of hardware, versus cost
of personnel time to chase intruders?  Are we too proud to admit that we need
to improve?  Is the old aphorism right: "Never attribute to malice anything
that can be explained by stupidity."
                                                   Bob

              [The Honeywell SCOMP -- still the only A1 evaluated system -- 
              is now the Bull SCOMP.

- ------------------------------

Date: 1 May 91 06:17:40 GMT
From: chuq@Apple.COM (Chuq Von Rospach)
Subject: Genie: (was Re: Email, Privacy, and `small print')

By the way, to clear things up before the flaming starts, GEnie has recently
clarified its user policies for acceptable behavior (in the wake of the Linda
Kaplan affair, of which I'm trying to avoid speaking about). Their policy on
email is quite clear -- they say that junk mail, chain letters, offensive or
libelous mail, etc etc are unacceptable -- but they also make it perfectly
clear that GEnie does not under any circumstances monitor or read email on
their systems. They will investigate and deal with inappropriate mail ONLY
after complaints from the recipients.

Please don't start lumping GEnie and Prodigy together. They are like Night
and Orange Juice.

chuq (not attached to GEnie in any official way, although they do subsidize
one of my GEnie accounts. Aren't disclaimers silly?)

Chuq Von Rospach >=< chuq@apple.com >=< GEnie:CHUQ or MAC.BIGOT >=< ALink:CHUQ
     SFWA Nebula Awards Reports Editor    =+=    Editor, OtherRealms
Book Reviewer, Amazing Stories    ---@---    #include 
Recommended: ORION IN THE DYING TIME Ben Bova (Tor, Aug, ***-); SACRED
VISIONS Greeley&Cassutt (Tor, Aug, ****+); MEN AT WORK George Will (****);
XENOCIDE Orson Scott Card (August, ****)

- ------------------------------

Date: Wed, 1 May 91 16:21:52 CDT
From: wjb@edsr.UUCP (Bill J Biesty)
Subject: Prodigy Problem in Major Press

This is the summary of the WSJ article I get mailed to me on a daily basis.
Interesting that Prodigy does NOT deny that it sends customer data to their
host; ONLY that they DO NOT USE it.  If they "haven't any interest in getting
there" as the summary says, why are they spending their own money to get
customer data in the first place?  (Prodigy charges a lump fee for unlimited
connect time, so they are absorbing the cost of sending this extra data.)
Bill Biesty

 SUBJECT: WSJ DAILY EXTRACT 5/1/91    POSTED 05/01/91 16:09
 FROM: EDS BULLETINS                                                 
     WALL STREET JOURNAL DAILY EXTRACT           05/01/91
                                                                          
The following "extracts" are taken from Wall Street Journal (WSJ) articles and
are posted on the eMail Bulletin Board daily.  Technical Resource Acquisition
(TRA), assumes no responsibility for the accuracy of the extracts, which are
simply provided as a service to those who do not have the time to read the WSJ.
The extracts do not represent the opinion of EDS nor TRA, and are posted for
informational purposes only.

[...other summaries deleted...]

 o Subscribers to the popular Prodigy computer service are discovering an
unsettling quirk about the system: It offers Prodigy's headquarters a peek into
users' own private computer files.  The quirk sends copies of random snippets
of a PC's contents into some special files in the software Prodigy subscribers
use to access the system.  Those files are also accessible to Prodigy's central
computers, which connect to users' PCs via phone lines.  Prodigy, a joint
venture of IBM and Sears, Roebuck & Co., offers nearly one million users
electronic banking, games, mail and other services.  The service's officials
say they're aware of the software fluke.  They also confirm that it could
conceivably allow Prodigy employees to view those stray snippets of private
files that creep into the Prodigy software.  But they insist that Prodigy has
never looked at those snippets and hasn't any intention of ever doing so.  "We
couldn't get to that information without a lot of work, and we haven't any
interest in getting there," says Brian Ek, a Prodigy spokesman.  Nevertheless,
news of the odd security breach has been stirring alarm among Prodigy users.
Many have been nervously checking their Prodigy software to see what snippets
have crept into it, finding such sensitive data as lawyer-client notes, private
phone-lists, and accountants' tax files.  Even though Prodigy users' privacy
doesn't appear to have been invaded, the software problem points up the
security risks that can arise as the nation races to build vast networks
linking PCs via telephone lines.

- ------------------------------

Date: 1 May 91 06:32:03 GMT
From: chuq@Apple.COM (Chuq Von Rospach, only here for the beer)
Subject: Re: Prodigy, etc. (RISKS-11.56)

>It seems to me that there's nothing all that different between an e-mail
>service and a phone company--except the format of the data being carried.

There are actually a LOT of differences. Phone companies are regulated,
quasi-governmental agencies with guaranteed monopolies where the regulating
agency has build a set of regulations to make sure that the phone company
doesn't take advantage of their monopoly.

E-mail services are private businesses that are doing businesses with
individuals in an unregulated industry.

Now, you can argue that e-mail companies *OUGHT* to be regulated like phone
companies -- but they aren't, and to do so would require legislation (and
probably court fights and other associated legal stuff).

>but if a carrier offers a "conference call" service, I don't believe
>that they can restrict anyone from using it, or from saying what they like in
>the course of such a call.

Sure they can. They are a company doing business. When you sign up with
them, you make an agreement to do business with them within the guidelines
that are set down in the agreement. If you abrograte that agreement (be it
"not pay the bill" or "put the company in a situation of legal liability")
then that company has the right to terminate the agreement.

There is no guarantee of service. Even with the phone company, there is no
guarantee of service -- you don't believe me, go a few months without paying
your bill and argue that you have a right to continue using your phone.

>A sharp lawyer ought to be able to convince a judge or jury in a civil suit
>(where a preponderance of evidence is all that is necessary to win) that
>Prodigy and the others, in offering their e-mail and BBS services, are
>operating as de-facto carriers for electronic communications.

Sorry, I don't buy it. First, when you sign up for GEnie (and others),
you sign an agreement which stipulates the services rendered and the
responsibilities to both parties. What you're trying to do here is convince
a judge/jury that the legal contract you signed is, in fact, not valid. Not
likely to happen.

Second, "de-facto carrier" is, to me, a non-statement. An entity is either a
common carrier legally or it is not. If it is not a common carrier, it can
be held liable for what YOU do on ITS computers. There's no defacto attached --
unless it is given real, legally binding (through legislation or legal
precedent) common carrier status, a company HAS to have the right to refuse
you service and monitor your behavior for appropriateness, becaus otherwise
you are in a position of putting them in legal liability without them having
any recourse to protect themselves.

Sounds good -- but your thoughts don't seem to be well thought out as to how
things are in real life.
                                                Chuq

- ------------------------------

Date: Wed, 1 May 91 12:03:26 -0400
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson)
Subject: PRODIGY

In the current issue of the Prodigy Star (newsletter sent out from Prodigy to
users) there is a two page article from Harold Goldes (one of the Prodigy
EXPerts) on computer viruses. While it is quite informative, the issue of
online updating of executables/data is skated though one point seems clear -
they do not guarentee that you will not get a virus from Prodigy, and if you
do, it is your problem.

- ------------------------------

Date: 1 May 91 11:40:00 EDT
From: "Mary Culnan" 
Subject: Prodigy

Prodigy recently ran an ad in DM News, a weekly direct marketing trade
newspaper with the header "..But you can't miss with Prodigy Direct Mail."  The
ad is encouraging companies to use Prodigy for direct marketing and says in
part,

  "Now, for the first time, marketers can deliver electronic mail to targeted
  segments of the PRODIGY service member file..."

Prodigy service members are highly-responsive, highly-qualified prospects.
They are young, well-educated, well-paid and well-traveled.  And they're active
users of the PRODIGY service, signing on 10 times a month on average, for about
20 minutes each time.

Members' demographic data is merged with their PRODIGY service usage
information to offer yo more than a dozen selections based on their interests
and activities, such as personal finance, sports, computers, travel, etc....

PRODIGY Direct Mail offers you the most sophisticated application available of
high-tech, high-touch direct-to-consumer marketing."

Clearly they are looking over the shoulders of every user--a point that was
also made in the recent NOVA show, "We Know Where You Live."
                                                                Mary Culnan

- ------------------------------

Date: Wed,  1 May 1991 11:01:59 -0500 (CDT)
From: Bill Seurer 
Subject: A Prodigy experiment

Because of all the rumors flying around of Prodigy uploading data off of
user's harddisks I decided to test if this was indeed happening.

All of these rumors are based on the fact that the staging file (STAGE.DAT)
Prodigy uses to buffer its screens on the harddisk sometimes is found to
contain bits and pieces of user files and directories.  Some users claim this
proves Prodigy is uploading the data while others just say it is an artifact of
the way that DOS allocates files and because Prodigy does not initialize the
file when it is created.

I devised and carried out the following experiment in order to test if this was
happening.

The results are:
  Prodigy does not appear to be uploading any data.
  The STAGE.DAT file contains bits and pieces of ERASED files.

The experiment went as follows:

1) Re-installed Prodigy.  I erased all of the files Prodigy had
   installed on my system.
2) Modified CONFIG.SYS and AUTOEXEC.BAT to remove all TSRs and have 0
   DOS buffers.  I removed the disk caching software I usually use.  This
   was to prevent any leftovers in buffers or caches from showing up in
   STAGE.DAT and so that I could monitor what the harddisk was doing more easily.
3) Defragmented the harddisk so that all files were in contiguous blocks.
4) I ran CLEANDSK and CLEANEND to write zeroes over all the unused parts
   of the disk and over the unused ends of DOS files.
5) Powered the PC off and then on.  All memory was therefore flushed and
   the minimal system with no buffers was in use.
6) I created several large (500k) files each containing a different
   pattern of characters.  After all were created, I erased them.  This was
   to test whether STAGE.DAT is picking up bits of erased files.
7) I installed Prodigy using a large buffer.  This created a STAGE.DAT
   file that was just under 1 meg in size.
8) I browsed STAGE.DAT to see what was inside.  The first 250k or so had
   interesting stuff and the other 750k was 0's.  The interesting stuff was
   mostly buffered Prodigy windows (I could tell by the text that was mixed
   in) along with scattered pieces of one of the files I had created and
   deleted in step 7.  This file made up about 100k of STAGE.DAT. and given
   where the data was I'd guess that the first 200k or so of STAGE.DAT had
   been overlaid on the disk where this file used to be.  The *ONLY*
   non-Prodigy thing that I saw was a copy of my environment variables
   (COMPSEC, PATH, and PROMPT).  I noted that the windows that were
   buffered were the "old" windows (Prodigy has changed many of its windows
   since I got my installation kit).
9) Made a copy of STAGE.DAT so that I could compare it with an updated
   copy after I signed on.
10) I again powered the PC off and on to clear all the memory.
11) I signed on Prodigy.  While on I read some mail, sent some mail,
   read a few BBS appends, and looked at a couple of ads.  Then I signed
   off.  I noticed some things when I signed on.  First of all, it took a
   looooong time.  I surmised that all those "old" windows I had seen in
   STAGE.DAT were being updated.  I carefully watched my modem lights and
   harddisk light (remember, I had no buffering).  About 95% of the time
   (at least!) the modem was receiving data.  At the end of each long
   receive (some were 4 or 5 seconds long) the hard disk would be used
   briefly and the modem transmit light would flicker on.  Then there would
   be another long receive and etc.  At no time was my modem transmitting
   for more than a fraction of a second.
12) Using a hex/ASCII file comparison tool I compared the contents of
   the STAGE.DAT that I had saved with the updated one after I logged off
   Prodigy.  Many of the menus I had noticed the first time I looked were
   changed to the newer formats.  Also, the sign off menus and some of the
   messaging menus had either overwritten some (but not all) of the data
   from the file I had created and deleted in step 7 or been added at the
   end of the 250k of initially used area in STAGE.DAT.  STAGE.DAT now had
   about 280k of used area less perhaps 80-90k of data from the file in step 7.

This experiment shows to me that all the stuff about Prodigy uploading files is
rumors started by people ignorant of how DOS works.  Some people said that they
reinstalled Prodigy to see if that changed STAGE.DAT but they didn't
defragment/zero out their disks first so their data is highly suspect.  If they
had watched their modem lights they would realize that almost no time is spent
sending data to Prodigy when signing on but is almost all sent receiving it.

If I were to run this again I would change step 7 to completely fill up the
unused portion of my harddisk with the dummy files and then erase them all.  My
guess is that the 750k of space at the end of STAGE.DAT would then contain bits
from those files.  Later this week I think I'll try this and see.

My set-up in case you're interested is:

IBM PC-1 (the original) with an Intel Inboard/386, 40 meg harddisk, 2400
baud modem, DOS 3.2, and Prodigy 3.1 (which is the latest I believe).

If you have any questions about the experiment I'm more than happy to answer
them.  Also, if you have suggestions for more things to try next time let me
know.
         - Bill Seurer      IBM: seurer+@rchland  Prodigy: CNSX71A
           Rochester, MN    Internet: seurer+@rchland.vnet.ibm.com

- ------------------------------

End of RISKS-FORUM Digest 11.59
************************


 

.