TO........All FROM......Tomas Hood SUBJECT...PRODIGY WARNING! DATE......10:46pm 01-May-91 CONTROL...PID: RA 1.01 CONTROL...MSGID: 1:352/777 4dbde2c8 CONTROL...REPLY: 1:352/777 4dbde128 * Message originally: From: Tomas Hood To : All Date: 05-01-91 Area: "the Pacific Northwest Chat" * Forwarded by Tomas Hood using RemoteAccess 1.01 The following message was contained in another echo that sees limited distribution. This is of concern to a great many of you. -=-=-=-=-=-=-=-=-=-=-=-=-=- * Message originally: From: Steve Shapiro To : All Date: 04-30-91 Area: "SHAREWRE FIDO Shareware" * Forwarded by Steve Winter using RemoteAccess 1.01+ While this is not exactly on-topic, I felt that it would be very important to many of you because I know that you are members of Prodigy. I know that there are also some of you thinking of becoming members. To reduce the traffic on this off-topic message, please do not respond to it at all here in the echo. Netmail only please. This is FYI so let's not let it take up any more space in this echo. Thanks. Regards, Steve. RE: PRODIGY MAY BE STEALING PERSONAL INFO FROM YOUR COMPUTER! Gentlemen, The following file was sent to me today, April 29th. I've read it twice and then had to try it out myself just to see if it was true. Whether it is a bug in the software, or a covert effort by Sears, IBM, and Prodigy to *STEAL* private and personal information from your computer, the fact remains that the STAGE.DAT file in the Prodigy Subdirectory digs up all sorts of information that would be absolutely meaningless to the operation of the software. ----------------------CUT HERE - ORIGINAL MESSAGE FOLLOWS----------- ----- Subject: Prodigy security warning While some of the enclosed article from comp.dcom.telecom is the usual bbs liver-chewing, the concerns about the STAGE.DAT file's grabbing of disk data is pretty serious. If you have the Prodigy demo kit or, heaven forbid, the real thing, what do you find when you look in your STAGE.DAT file? -- Bob ### BEGIN BBS FILE ### 218/250: Fraudigy Name: George J Marengo #199 @6974 From: The Gangs of Vista (Southern California) 619-758-5920 The L. A. County District Attorney is formally investigating PRODIGY for deceptive trade practices. I have spoken with the investigator assigned (who called me just this morning, February 22, 1991). We are free to announce the fact of the investigation. Anyone can file a complaint. From anywhere. The address is: District Attorney's Office Department of Consumer Protection Attn: RICH GOLDSTEIN, Investigator Hall of Records Room 540 320 West Temple Street Los Angeles, CA 90012 Rich doesn't want phone calls, he wants simple written statements and copies (no originals) of any relevant documents attached. He will call the individuals as needed, he doesn't want his phone ringing off the hook, but you may call him if it is urgent at 1-213-974-3981. PLEASE READ THIS SECTION EXTRA CAREFULLY. YOU NEED NOT BE IN CALIFORNIA TO FILE!! If any of us "locals" want to discuss this, call me at the Office Numbers: (818) 989-2434; (213) 874-4044. Remember, the next time you pay your property taxes, this is what you are supposed to be getting ... service. Flat rate? [laugh] BTW, THE COUNTY IS REPRESENTING THE STATE OF CALIFORNIA. This ISN'T limited to L.A. County and complaints are welcome from ANYWHERE in the Country or the world. The idea is investigation of specific Code Sections and if a Nationwide Pattern is shown, all the better. LARRY ROSENBERG, ATTY Prodigy: More of a Prodigy Than We Think? By: Linda Houser Rohbough The stigma that haunts child prodigies is that they are difficult to get along with, mischievous and occasionally, just flat dangerous, using innocence to trick us. I wonder if that label fits Prodigy, Sears and IBM's telecommunications network? Those of you who read my December article know that I was tipped off at COMDEX to look at a Prodigy file, created when Prodigy is loaded STAGE.DAT. I was told I would find in that file personal information form my hard disk unrelated to Prodigy. As you know, I did find copies of the source code to our product FastTrack, in STAGE.DAT. The fact that they were there at all gave me the same feeling of violation as the last time my home was broken into by burglars. I invited you to look at your own STAGE.DAT file, if you're a Prodigy user, and see if you found anything suspect. Since then I have had numerous calls with reports of similar finds, everything from private patient medical information to classified government information. The danger is Prodigy is uploading STAGE.DAT and taking a look at your private business. Why? My guess is marketing research, which is expensive through legitimate channels, and unwelcomed by you and I. The question now is: Is it on purpose, or a mistake? One caller theorizes that it is a bug. He looked at STAGE.DAT with a piece of software he wrote to look at the physical location of data on the hard disk, and found that his STAGE.DAT file allocated 950,272 bytes of disk space for storage. Prodigy stored information about the sections viewed frequently and the data needed to draw those screens in STAGE.DAT. Service would be faster with information stored on the PC rather then the same information being downloaded from Prodigy each time. That's a viable theory because ASCII evidence of those screens shots can be found in STAGE.DAT, along with AUTOEXEC.BAT and path information. I am led to belive that the path and system configuration (in RAM) are diddled with and then restored to previous settings upon exit. So the theory goes, in allocating that disk space, Prodigy accidently includes data left after an erasure (As you know, DOS does not wipe clean the space that deleted files took on the hard disk, but merely marked the space as vacant in the File Allocation Table.) There are a couple of problems with this theory. One is that it assumes that the space was all allocated at once, meaning all 950,272 bytes were absorbed at one time. That simply isn't true. My STAGE.DAT was 250,000+ bytes after the first time I used Prodigy. The second assumption is that Prodigy didn't want the personal information; it was getting it accidently in uploading and downloading to and from STAGE.DAT. The E-mail controversy with Prodigy throws doubt upon that. The E-mail controversy started because people were finding mail they sent with comments about Prodigy or the E-mail, especially negative ones, didn't ever arrive. Now Prodigy is saying they don't actually read the mail, they just have the computer scan it for key terms, and delete those messages because they are responsible for what happens on Prodigy. I received a call from someone from another user group who read our newsletter and is very involved in telecommunications. He installed and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg disk. Sure enough, upon checking STAGE.DAT he discovered personal data from his hard disk that could not have been left there after an erasure. He had a very difficult time trying to get someone at Prodigy to talk to about this. -------------- Excerpt of email on the above subject: THERE'S A FILE ON THIS BOARD CALLED 'FRAUDIGY.ZIP' THAT I SUGGEST ALL WHO USE THE PRODIGY SERVICE TAKE ***VERY*** SERIOUSLY. THE FILE DESCRIBES HOW THE PRODIGY SERVICE SEEMS TO SCAN YOUR HARD DRIVE FOR PERSONAL INFORMATION, DUMPS IT INTO A FILE IN THE PRODIGY SUB-DIRECTORY CALLED 'STAGE.DAT' AND WHILE YOU'RE WAITING AND WAITING FOR THAT NEXT MENU COME UP, THEY'RE UPLOADING YOUR STUFF AND LOOKING AT IT. TODAY I WAS IN BABBAGES'S, ECHELON TALKING TO TIM WHEN A GENTLEMAN WALKED IN, HEARD OUR DISCUSSION, AND PIPED IN THAT HE WAS A COLUMNIST ON PRODIGY. HE SAID THAT THE INFO FOUND IN 'FRAUDIGY.ZIP' WAS INDEED TRUE AND THAT IF YOU READ YOUR ON-LINE AGREEMENT CLOSELY, IT SAYS THAT YOU SIGN ALL RIGHTS TO YOUR COMPUTER AND ITS CONTENTS TO PRODIGY, IBM & SEARS WHEN YOU AGREE TO THE SERVICE. I TRIED THE TESTS SUGGESTED IN 'FRAUDIGY.ZIP' WITH A VIRGIN 'PRODIGY' KIT. I DID TWO INSTALLATIONS, ONE TO MY OFT USED HARD DRIVE PARTITION, AND ONE ONTO A 1.2MB FLOPPY. ON THE FLOPPY VERSION, UPON INSTALLATION (WITHOUT LOGGING ON), I FOUND THAT THE FILE 'STAGE.DAT' CONTAINED A LISTING OF EVERY .BAT AND SETUP FILE CONTAINED IN MY 'C:' DRIVE BOOT DIRECTORY. USING THE HARD DRIVE DIRECTORY OF PRODIGY THAT WAS SET UP, I PROCEDED TO LOG ON. I LOGGED ON, CONSENTED TO THE AGREEMENT, AND LOGGED OFF. REMEMBER, THIS WAS A VIRGIN SETUP KIT. AFTER LOGGING OFF I LOOKED AT 'STAGE.DAT' AND 'CACHE.DAT' FOUND IN THE PRODIGY SUBDIRECTORY. IN THOSE FILES, I FOUND POINTERS TO PERSONAL NOTES THAT WERE BURIED THREE SUB-DIRECTORIES DOWN ON MY DRIVE, AND AT THE END OF 'STAGE.DAT' WAS AN EXACT IMAGE COPY OF MY PC-DESKTOP APPOINTMENTS CALENDER. CHECK IT OUT FOR YOURSELF. ### END OF BBS FILE ### I had my lawyer check his STAGE.DAT file and he found none other than CONFIDENTIAL CLIENT INFO in it. Needless to say he is no longer a Prodigy user. [Moderator's Note: Thanks very much for sending along this fascinating report for the readers of TELECOM Digest. I've always said, and still believe that the proprietors of any online computer service have the right to run it any way they want -- even into the ground! -- and that users are free to stay or leave as they see fit. But it is really disturbing to think that Prodigy has the nerve to ripoff private stuff belonging to users, at least without telling them. But as I think about it, *who* would sign up with that service if they had bothered to read the service contract carefully and had the points in this article explained in detail? PAT] -=-=-=-=-=-=-=-=- end of forwarded msg... Tomas Hood, The Mountain, 206-666-9113 --- * Origin: Mensa This, Mensa That. Whew, and to think we can think.... (1:352/777) SEEN-BY: 1/217 12/12 13/13 103/501 104/1 107/3 109/25 124/2122 SEEN-BY: 124/4109 4115 4210 5125 129/34 151/1003 153/752 232/10 SEEN-BY: 261/1023 267/165 268/302 271/245 283/657 290/627 322/1 SEEN-BY: 343/300 380/7 20 382/1 396/1 640/206 3800/1 CONTROL...PATH: 352/777 23 11 1/217 13/13 124/4115 380/20