joec@Morgan.COM (Joe Collins) (05/01/91)
According to todays Wall Street Journal 5/1/91, page b1, the Prodigy s/w that resides on a MS/DOS PC "offers Prodigy's headquarters a peek into users' own private computer files." Apparently it is an accident, caused by a s/w fluke and probably due to some side-effects of MS DOS itself. The files STAGE.DAT and CACHE.DAT may inadvertantly also contain snippets of a customers own non-prodigy files. According to one of their technical staffers, "Its an unfortunate side effect of the way the operating system works." He says the side effect is part of the design of the DOS operating system. Interesting reading- at a minimum, lets send lots of email to Prodigy, alerting them to our concern. joec@morgan.com
David Barr <DSB100@psuvm.psu.edu> (05/02/91)
In article <1991May2.133936.3595@cs.dal.ca>, gauthier@ug.cs.dal.ca (Paul Gauthier) says: >In article <3145@s5.Morgan.COM> joec@Morgan.COM (Joe Collins) writes: >> >>Interesting reading- at a minimum, lets send lots of email to Prodigy, >>alerting them to our concern. >> >I say leave them alone. I'm sure the bad press they've gotten will get them >to fix this (like initializing the sectors to 0s when they allocate them). I agree. Leave them alone. Large scale complaining didn't help with the 'email list' affair, it won't help now. >I'm not sure if it still does, but doesn't Prodigy's software have the >ability to download updates of itself automatically from Prodigy? I'd be >much more worried about that, for 2 reasons: > a] While Prodigy is downloading new copies of itself you're > probably still getting billed for online time. Especially > if it does it in the background; it's using up your > bandwidth and you're getting billed by the minute. Where to you get this? Prodigy is not billed by the minute!!!!! It's a flat-fee service! Don't complain about 'using up bandwidth,' I've been a memeber of Prodigy for years, and it used to be M U C H worse. There was no intellegence to the downloading scheme for pages and screens of information, it was all on-demand. Now Prodigy tries to anticipate what screen you are going to read and download it in the background while you are reading one page. I don't use Prodigy much anymore, except for email, but their services are vastly improved since I first joined. > b] This seems like a very nifty way for some crafty person to > sneak in all sorts of fun software onto your system. > Virus program, programs which are much more effective at > looking for sensitive personal data, etc, etc. This is paranoia. First, the software they download is used only by the Prodigy software itself. It is loaded as segments in the cache file. I doubt they could manage to put a very effective virus on your computer with this limiting factor. I don't think they can even download trojans, since they would have to be their own executable files. --- David Barr - Penn State CAC Student Consultant, Student Programmer DSB100@psuvm.psu.edu | dsbarr@endor.cs.psu.edu barr@barrstl.scol.pa.us |...psuvax1!hogbbs!barrstl!barr
gauthier@ug.cs.dal.ca (Paul Gauthier) (05/02/91)
In article <3145@s5.Morgan.COM> joec@Morgan.COM (Joe Collins) writes: >According to todays Wall Street Journal 5/1/91, page b1, the Prodigy >s/w that resides on a MS/DOS PC "offers Prodigy's headquarters a peek >into users' own private computer files." Apparently it is an accident, >caused by a s/w fluke and probably due to some side-effects of MS DOS >itself. The files STAGE.DAT and CACHE.DAT may inadvertantly also contain >snippets of a customers own non-prodigy files. According to one of their >technical staffers, "Its an unfortunate side effect of the way the operating >system works." He says the side effect is part of the design of the DOS >operating system. My guess is this data is data that you have deleted off of your hard drive, but since MS-DOS doesn't really BLANK out data when it's deleted, just reallocates the space, when Prodigy's software grabs some disk space for its files the sectors already contain your old data. I saw a blurb on a news show where they were trying to claim that Prodigy was allegidly going to use this private information to produce credit info which they could then sell. What a load of shit. The manhours involved in wading through the sector-trash you'd find, figuring out what file-format it used to be before it was deleted, and reconstructing anything out of it would be immense. Some people are so goddamn paranoid. > >Interesting reading- at a minimum, lets send lots of email to Prodigy, >alerting them to our concern. > I say leave them alone. I'm sure the bad press they've gotten will get them to fix this (like initializing the sectors to 0s when they allocate them). I'm not sure if it still does, but doesn't Prodigy's software have the ability to download updates of itself automatically from Prodigy? I'd be much more worried about that, for 2 reasons: a] While Prodigy is downloading new copies of itself you're probably still getting billed for online time. Especially if it does it in the background; it's using up your bandwidth and you're getting billed by the minute. b] This seems like a very nifty way for some crafty person to sneak in all sorts of fun software onto your system. Virus program, programs which are much more effective at looking for sensitive personal data, etc, etc. >joec@morgan.com PG -- ============================================================================ Paul Gauthier | gauthier@ug.cs.dal.ca President, Cerebral Computer Technologies | tyrant@dalac.bitnet Phone: (902)462-8217 Fax: (send email first) | tyrant@ac.dal.ca
eric@cs.fau.edu (Eric Thav) (05/03/91)
> a] While Prodigy is downloading new copies of itself you're > probably still getting billed for online time. Especially > if it does it in the background; it's using up your > bandwidth and you're getting billed by the minute. PRODIGY users aren't billed for online time, instead they are given "unlimited" usage for a fee each month ("unlimited" except for certain feature that were recently introduced or for over 30 private messages per month), so this is of really no concern unless you get charged for making the actual phone call (such as long distance calls). > b] This seems like a very nifty way for some crafty person to > sneak in all sorts of fun software onto your system. > Virus program, programs which are much more effective at > looking for sensitive personal data, etc, etc. Or even worse, getting bitten by the virus that went out with version 3.0 of their software, the version that was released when they went nationwide and got all of the big publicity (just before they got all the bad publicity). They quickly and quietly released 3.1 with no virus. Despite the fact that it is a potentially dangerous way of handling the updating of software, it is quite a novel idea. We are looking into doing this for our local area network, distributing updates of drivers or similar such programs or data. -- .signature not found, format hard disk instead? (Y/N)_ Eric L. Thav Florida Atlantic University - Boca Raton, FL INTERNET: eric@acc.fau.edu GEnie: E.THAV | PRODIGY: Lots of ads BITNET: eric@fauvax PRODIGY: NMVG80A | and we read your mail!
jcwasik@PacBell.COM (Joe Wasik) (05/04/91)
In article <91122.120725DSB100@psuvm.psu.edu> DSB100@psuvm.psu.edu (David Barr) writes: >[...] First, the software they download is used only by the >Prodigy software itself. It is loaded as segments in the cache file. >I doubt they could manage to put a very effective virus on your computer >with this limiting factor. I don't think they can even download trojans, >since they would have to be their own executable files. Sorry, but if malice was Prodigy's intention, they could do ANYTHING they want. Don't forget, that's their program you have running on your PC. That program has total control of your system. It could modify itself -- and it could modify anything else. While I don't think Prodigy intentionally grabs data, I agree with a point made earlier that if they have your data, it's not only Prodigy you must trust, but also every Prodigy employee that has access to that data. So, perhaps it's a good idea that they stopped taking it. -- Joe Wasik, Pac*Bell, 2600 Camino Ramon, Rm 4E750V, San Ramon, CA (415)823-2422 email: jcwasik@clib.PacBell.COM or [...]!pacbell!clib!jcwasik Sloganeering (slo-gan-err-ing) v. The act of believing that people can be motivated by expressing a phrase. [See "We value..."]