knotts@hpl-opus.hpl.hp.com (Tom Knotts) (12/14/90)
Thanks to all who responded to my question: "is the computer virus a real threat?". From the responses, the answer is absolutely. I now have an anti-virus program and feel relatively secure. One person said something to me that is really disturbing about Prodigy. He said that using Prodigy is really dangerous because it has the capability to change any file on your hard disk without telling you. He points out that a disgruntled employee could program Prodigy to infect all Prodigy users' machines. Does any one know more about this? Is Prodigy really dangerous? My wife uses Prodigy all of the time, and now she is really worried. Perhaps we should post responses so that all can benefit. Thanks, tom
raymond@oreo.berkeley.edu (Raymond Chen) (12/14/90)
The topic has been discussed in comp.risks. Here are the references from Volume 9. RISKS-9.55 18 Dec 1989 PR RISKs of computer communications -- Prodigy (Mark Jackson) RISKS-9.69 15 Feb 1990 Now Prodigy Can Read You (Wechsler, Donald B) RISKS-9.74 12 Mar 1990 Re: Now Prodigy Can Read You (Eric Roskos) RISKS-9.75 15 Mar 1990 PRODIGY updating programs (Simson L. Garfinkel) RISKS-9.78 5 Apr 1990 More on Prodigy's Updating of a User's Disks (Eric Roskos, Paul Eggert) RISKS-9.79 9 Apr 1990 Re: More on Prodigy's Updating of a User's Disks (Leonard Erickson) Here are copies of the first three referenced articles. If you are still interested, you can ftp the other references from the comp.risks archives at crvax.sri.com. I have taken the liberty of editing the items for brevity. The full unexpurgicated versions are available from crvax. Note also that Volume 10 contains discussion on Prodigy's infamous censorship escapades, and its recent electronic mail brouhaha. ------------------------------------------------------------------------------- Date: Thursday, 15 Feb 1990 17:11:22 EST From: m17434@mwvm.mitre.org (Wechsler, Donald B) Subject: Now Prodigy Can Read You The Prodigy Services publication, PRODIGY STAR, recently showcased a "major benefit". Prodigy accesses remote subscribers' disks to check the Prodigy software version used, and when necessary, downloads the latest programs. This process is automatic when subscribers link to the network. I asked Prodigy how they protect against the possibility of altering subscribers' non-Prodigy programs, or reading their personal data. Prodigy's less-than-reassuring response was essentially (1) we don't look at other programs, and (2) you can boot from a floppy disk. According to Prodigy, the feature cannot be disabled. ------------------------------ Date: Fri, 09 Mar 90 09:37:19 E From: Eric Roskos <jer@ida.org> Subject: Re: Now Prodigy Can Read You (RISKS-9.69) The "programs" updated by the PRODIGY software are not executable files loadable by the PC's operating system. The PRODIGY software is unable to update the DOS-executable object programs automatically, and has to send out new disks when this is necessary. Nevertheless, due the PC's lack of security mechanisms, the possibility of altering subscriber's programs or reading personal data does exist on any such system. PRODIGY representatives have repeatedly stated that the PRODIGY software will not do this. ------------------------------ Date: 12 Mar 90 20:44:07 EST (Mon) From: simsong@prose.CAMBRIDGE.MA.US (Simson L. Garfinkel) Subject: PRODIGY updating programs I must take issue with Eric Roskos saying that PRODIGY can only update information in the STAGE.DAT file. In doing my article on PRODIGY for The Christian Science Monitor, I was told by Prodigy's manager of software services that one of the really nifty tricks of PRODIGY is that nearly the entire system running on the PC --- including the .EXE files --- can be updated remotely. This eliminates the need to send out floppy disks with updates.
john@jwt.UUCP (John Temples) (12/16/90)
In article <80330004@hpl-opus.hpl.hp.com> knotts@hpl-opus.hpl.hp.com (Tom Knotts) writes: >One person said something to me that is really disturbing about Prodigy. >He said that using Prodigy is really dangerous because it has the >capability to change any file on your hard disk without telling you. He >points out that a disgruntled employee could program Prodigy to infect >all Prodigy users' machines. What's so special about Prodigy's software that people are singling it out as "dangerous?" A disgruntled employee at Microsoft could program Windows so that it trashed your FAT if it detected a certain brand of disk partitioning software. A disgruntled employee at WordPerfect Corp. could program WP 6.0 to reformat one hard disk in ten thousand. A disgruntled employee at...well, you get the idea. If you run binaries written by other people, you are taking a risk. If you want to be paranoid, you can come up with all sorts of horrifying scenarios. Keep good backups, and don't lose any sleep over it. -- John W. Temples -- john@jwt.UUCP (uunet!jwt!john)
mcdonald@aries.scs.uiuc.edu (Doug McDonald) (12/18/90)
In article <1990Dec16.031022.22166@jwt.UUCP> john@jwt.UUCP (John Temples) writes: >In article <80330004@hpl-opus.hpl.hp.com> knotts@hpl-opus.hpl.hp.com (Tom Knotts) writes: >>One person said something to me that is really disturbing about Prodigy. >>He said that using Prodigy is really dangerous because it has the >>capability to change any file on your hard disk without telling you. He >>points out that a disgruntled employee could program Prodigy to infect >>all Prodigy users' machines. > >What's so special about Prodigy's software that people are singling >it out as "dangerous?" A disgruntled employee at Microsoft could >program Windows so that it trashed your FAT if it detected a certain >brand of disk partitioning software. Yes, but this can only happen once for each porgram you buy - and it would quickly get out to the whole world if it actually happened because things like what you attribute to Microsoft are quite noticeable. (Like, Microsoft Windows 3.0 really DOES trash your hard disk if you have a certain brand of disk partitioning software.) And Microsoft products don't call Microsoft on the phone and copy your disk to them. But Prodigy can do it selectively, at any time they feel like. They can steal programs off your disk. They can survey your disk to see what programs are on it, and then, for example, sell your "user profile" to advertisers who will flood you with junk mail. Etc. Using Prodigy is exactly like using a Unix system and turning off ALL forms of protection - let anybody logged on do anything they wish. If I connect my PC to some other computer, I want to be very sure that there is some security. Right now I am running Telnet on my PC. There is no way to log in from the outside. You can, if you wish, right now, do ftp to my PC. But you need the password. I have no idea how good the security is but at least it exists. Doug McDonald
raymond@ronzoni.berkeley.edu (Raymond Chen) (12/18/90)
In article <1990Dec16.031022.22166@jwt.UUCP> john@jwt.UUCP (John Temples) writes: >What's so special about Prodigy's software that people are singling >it out as "dangerous?" A disgruntled employee at Microsoft could > [do nasty things]. Scenario 1: I bought Windows a few months ago. Works fine. Today, a Microsoft employee gets disgruntled and embeds a time bomb in Windows 3.0. My copy of Windows will not be affected because I bought it before he got disgruntled. Scenario 2: I bought Prodigy a few months ago. Works fine. Today, a Prodigy employee gets disgruntled and embeds a time bomb in the Prodigy software. My copy of Prodigy _will_ be affected even though I bought it before he got disgruntled. The difference: When I buy Windows, I open myself to disgruntlement only once, namely at the moment I purchase the software. When I buy Prodigy, I open myself to disgruntlement _every_time_I_log_on_, because Prodigy automatically downloads new versions of the Prodigy software when I log on. Essentially, I am involuntarily upgrading to the most recent version of Prodigy. For more details, please read the Risks articles I referenced in a previous article.
toma@sail.LABS.TEK.COM (Tom Almy) (12/18/90)
In article <1990Dec16.031022.22166@jwt.UUCP> john@jwt.UUCP (John Temples) writes: >In article <80330004@hpl-opus.hpl.hp.com> knotts@hpl-opus.hpl.hp.com (Tom Knotts) writes: >>One person said something to me that is really disturbing about Prodigy. >>He said that using Prodigy is really dangerous because it has the >>capability to change any file on your hard disk without telling you. >What's so special about Prodigy's software that people are singling >it out as "dangerous?" A disgruntled employee at Microsoft could >program Windows so that it trashed your FAT if it detected a certain >brand of disk partitioning software. A disgruntled employee at >WordPerfect Corp. could program WP 6.0 to reformat one hard disk in >ten thousand. A disgruntled employee at...well, you get the idea. [...] Prodigy is not the first service to do this. Many years ago I got a Compuserve account on my TRS-80. The package came with a presumably dumb terminal emulator (no upload/download, among other things). But it turned out to have a secret download capability, and more! In order to get a better emulator I went to the programming area and ran a program. That program downloaded the new package and even started it running! Compuserve software has always had the capability of reading and writing ones disks under Compuserve's control. Maybe the problem with Prodigy is that have shown they cannot be trusted for other reasons. Tom Almy toma@sail.labs.tek.com <<< Note new address Standard Disclaimers Apply -- Tom Almy toma@sail.labs.tek.com <<< Note new address Standard Disclaimers Apply
john@jwt.UUCP (John Temples) (12/19/90)
In article <1990Dec17.171847.14470@ux1.cso.uiuc.edu> mcdonald@aries.scs.uiuc.edu (Doug McDonald) writes: >In article <1990Dec16.031022.22166@jwt.UUCP> john@jwt.UUCP (John Temples) writes: >>What's so special about Prodigy's software that people are singling >>it out as "dangerous?" >Yes, but this can only happen once for each porgram you buy - and >it would quickly get out to the whole world if it actually happened >because things like what you attribute to Microsoft are quite >noticeable. Why would it "get out to the whole world" any less quickly if Prodigy did it? >But Prodigy can do it selectively, at any time they feel like. They can >steal programs off your disk. They can survey your disk to see what >programs are on it, and then, for example, sell your "user profile" >to advertisers who will flood you with junk mail. Etc. You make it sound as though Prodigy already has the software in place to do these things. >Using Prodigy is exactly like using a Unix system and turning off >ALL forms of protection - let anybody logged on do anything they wish. Substitude "MS-DOS" for "Prodigy" in the above sentence... >If I connect my PC to some other computer, I want to be very sure >that there is some security. Right now I am running Telnet on my PC. >There is no way to log in from the outside. You can, if you wish, >right now, do ftp to my PC. But you need the password. I have no >idea how good the security is but at least it exists. If you have no idea how good the security is, how does its mere existence make you feel any better? Why do you have more faith in the author of Telnet than in the author of Prodigy? See my original question above, "What's so special about Prodigy's software..." I fail to see the direct correlation between the recent behavior of Prodigy management and the likelihood of a disgruntled Prodigy employee stealing programs from people's disks. -- John W. Temples -- john@jwt.UUCP (uunet!jwt!john)
roy%cybrspc@cs.umn.edu (Roy M. Silvernail) (12/19/90)
john@jwt.UUCP (John Temples) writes: > What's so special about Prodigy's software that people are singling > it out as "dangerous?" A disgruntled employee at Microsoft could > program Windows [possibilities deleted] I think the reason for the concern is that, while the scenarios you describe _could_ take place, it would require tainting of a new release of the software. The current [Windows | WP | etc.] seems to be secure. On the other hand, the current version of the Prodigy software is _already equipped_ to change files on your filesystem. No need to wait for you to buy something new when the back door is already in place, and has been from the inception of Prodigy. > If you run binaries written by other people, you are taking a risk. > If you want to be paranoid, you can come up with all sorts of > horrifying scenarios. Keep good backups, and don't lose any sleep > over it. Agreed. But I still don't go to bed with my doors unlocked. -- Roy M. Silvernail |+| roy%cybrspc@cs.umn.edu |+| #define opinions ALL_MINE; main(){float x=1;x=x/50;printf("It's only $%.2f, but it's my $%.2f!\n",x,x);} "This is cyberspace." -- Peter da Silva :--: "...and I like it here!" -- me
akcs.vladimer@point.UUCP (kevin kadow) (12/27/90)
I'd like to know more about the other problems with prodigy... As to what the real difference between Prodidgy updates and commercial software is: If I buy a commercial program and install it on my HD, that is a one time act, where I get a file from the company. With PRODIGY, let's say that I call and send some E-mail to a guy saying that I'm working on a revolutionary new communications network that will make systems like Prodigy and Compuserve OBSOLETE. Now let us say that they intercept this message, in which I say I'm writing this program using PASCAL. Prodigy writes a program, which is run in the background on *MY* system the next time I call. This program makes a list of a files with a .PAS extension that are on my drive, and copies them (in the background) to their disk WHILE I AM ONLINE. They could also sabotage my program, or otherwise conduct industrial espionage.
kevin@msa3b.UUCP (Kevin P. Kleinfelter) (12/28/90)
akcs.vladimer@point.UUCP (kevin kadow) writes: >I'd like to know more about the other problems with prodigy... > >As to what the real difference between Prodidgy updates and commercial >software is: > >If I buy a commercial program and install it on my HD, that is a one time >act, where I get a file from the company. >With PRODIGY, let's say that I call and send some E-mail to a guy saying >that I'm working on a revolutionary new communications network that will >make systems like Prodigy and Compuserve OBSOLETE. Now let us say that >they intercept this message, in which I say I'm writing this program >using PASCAL. >Prodigy writes a program, which is run in the background on *MY* system >the next time I call. This program makes a list of a files with a .PAS >extension that are on my drive, and copies them (in the background) to >their disk WHILE I AM ONLINE. > >They could also sabotage my program, or otherwise conduct industrial >espionage. If you really believe that this is likely, then one can assume that you would be willing to put forth some effort to make money from this notion. Here is what you do: Get a PC, put nothing on it but Prodigy, lots of dummy data, and a TSR program to record all file opens. Use this PC for all your Prodigy access. When you have evidence that Prodigy has done something inappropriate to your machine, sue. If you do not believe that this is worth the effort, then I assert that you do not believe that it is likely that Prodigy will inflict any damage. Yes, it is hypothetically possible that you could be damaged by Prodigy. However, one should remember that Prodigy-type communication is about as "private" as cordless and cellular phones (i.e. anyone CAN listen if they go to the trouble). If you were to come under suspicion of illegal computer-related activities, you can bet that the authorities would get a writ, ordering Prodigy to copy everything from your disk as evidence. (So now that you've demonstrated paranoia about corporate America, I've just demonstrated paranoia about governmental America.) -- Kevin Kleinfelter @ Dun and Bradstreet Software, Inc (404) 239-2347 {emory,gatech}!nanovx!msa3b!kevin Soon to become {emory,gatech}!nanovx!dbses0!kevin (But not yet!)
akcs.vladimer@point.UUCP (kevin kadow) (12/31/90)
I'm not saying that PRODIGY *would* do anything unscrupulous such as read/write from files other than what is needed for terminal updates, but that they COULD, and do you want to run that risk just to get free updates on-line?
wb8foz@mthvax.cs.miami.edu (David Lesher) (12/31/90)
>I'm not saying that PRODIGY *would* do anything unscrupulous such as >read/write from files other than what is needed for terminal updates, but >that they COULD, and do you want to run that risk just to get free >updates on-line? Also considering that PRODIGY is run by 'suits' in the Marketing Dept, I'm sure they can come up with an excuse to investigate what other software you are running. After all, they now grab scanner data from the supermarkets for such questions as: Do folks who buy toilet paper on sale also buy Preparation-H? Can looking at your spreadsheet data be far behind? -- A host is a host from coast to coast.....wb8foz@mthvax.cs.miami.edu & no one will talk to a host that's close............(305) 255-RTFM Unless the host (that isn't close)......................pob 570-335 is busy, hung or dead....................................33257-0335