------------------------------ From: "D.Baswell@adacp.com" Subject: Comp.Org.Eff.Talk. comments on Prodigy FYI Date: Sat, $ May 91 09:01:08 GMT ******************************************************************** *** CuD #3.16: File 4 of 6: Assorted Comments on Prodigy *** ******************************************************************** I find these posts from comp.org.eff.talk interesting. Hope you do too. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (Begin Posts): Subject: Re: Prodigy charged with invading users' privacy Date: 1 May 91 05:17:34 GMT Sender: usenet@pcserver2.naitc.com (News Poster for NNTP) in article <1991Apr30.225133.8165@craycos.com> jrbd@craycos.com (James Davies) writes: >> I received a call from someone from another user group who read >>our newsletter and is very involved in telecommunications. He >>installed and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg >>disk. Sure enough, upon checking STAGE.DAT he discovered personal data >>from his hard disk that could not have been left there after an >>erasure. > >Question: was he using an unused disk, or did he just reformat an old >one, assuming that it would be wiped clean? > >Could some Prodigy user out there try this experiment again, this >time using a verifiably empty disk? I get the feeling that this hasn't >exactly been a controlled experiment so far... Note one thing well: All formats on a floppy disk ARE LOW LEVEL FORMATS. That is, all data is physically erased, sector marks are rewritten, the whole works. It is not possible on a DOS machine to issue a "FORMAT A:" and have any data retained on the diskette from prior use. Try it. You'll see that this is the case. To do a controlled test, do the following: 1) Bulk erase and then format a floppy diskette. NO CHANCE of any residual data on the disk surface after this. 2) Run a "cleandisk" program to write ZEROS to all unallocated areas of the fixed disk in the machine. This will guarantee that all unallocated areas, which may be used for scratch buffers, have no data on them. The tail end of files are irrelevant -- that's an ALLOCATED area and should not be touched by the software if it's being "honest". 3) Install Prodigy on the floppy disk. Do not touch the hard drive, or run any software from it. Work >only< on the floppy disk. 4) Call Prodigy. Spend an hour or two online. Give 'em plenty of time to hose you if they're going to. 5) Sign off and look at STAGE.DAT on the floppy disk. Alternately, after cleaning the disk, install the Prodigy software on the fixed disk. DO NOT ACCESS ANY OTHER PROGRAMS OR DATA. Immediately run Prodigy, dial in, and use it for a couple of hours. Then check STAGE.DAT on the fixed disk. Since you zeroed all unallocated areas on the drive before you began, there is no way the STAGE.DAT file could have gotten private data in it unless the software is scanning your fixed disk drive. This should provide rather conclusive proof one way or the other. I'm not a Prodigy subscriber, or I'd try this... Subject: Re: Prodigy charged with invading users' privacy (was Re: Date: 1 May 91 21:07:40 GMT > zane@ddsw1.MCS.COM (Sameer Parekh) writes: > > Thank you for posting that. I had previously thought that Prodigy >was simply a dumb service. Now I am committed to the education of people to >stop using Prodigy. I will be writing an 'information sheet' which I will >distribute so that we can educate those who are not on the net. I will post >it here first so that I may get feedback on how it is. > (I didn't hear about it from this post, a friend who obviously read >this post told me about it.) The evidence presented so far has been in a word "SHODDY". Before you go making statements about this matter I would advise you to investigate more fully. Telling people not to use this service because of a supposely found problem that later turns out to be false opens the possibility of being sued for LIBEL. You could be sued for loss of revenue for each and every user you convince to discontinue or not use the service. This includes lost advertising revenue. The "litmus" tests I have seen so far are invalid. They show a lack of understanding of all the possible ways for this to happen (and there are many!) The proper test should be: wipe the hard disk clean -- i.e. low level reformat or wipedisk etc. Note: This should be done to any and all disks, partitions, etc on the system. (Or remove them) 2: insure all disks are clean!! 3: install test files to look for(if needed). Do not delete anything. Do not use any disk compressor. Just copy the files onto the disk. 4: POWER OFF the machine. Wait 10 min. (Yes, 10 MIN!) 5: Turn machine on and verify memory is clear. Don't do anything except what is listed here. Especially don't go looking at files. Don't do anything that might bring a file into memory or a disk buffer. 6: install prodigy 7: run prodigy for a period of time (1 hour or so) 8: NOW check the STAGE.DAT file. An even better test would to be to monitor the data being sent back to Prodigy. Subject: Re: Prodigy charged with invading users' privacy Date: 2 May 91 16:03:52 GMT Now that there is some more reliable data on the STAGE.DAT "controversy", I hope that everyone will settle down and stop accusing Prodigy of spying on them. It appears that the "stolen personal data" in the file was, as several people have speculated, just leftover pieces of deleted files. However, what nobody seemed to notice in all of this hysteria is that Prodigy doesn't need to move data into STAGE.DAT in order to "steal" it. They could just as easily have just directly snatched your client lists and accounting records without buffering it to another file first (in fact, a truly sneaky system would have done just that, I would say). There is a lot of trust necessary to use any network software -- for all I know, "rn" could be browsing through my files right this minute. However, there is no reason for me to suspect this, and if it did happen and I discovered it, I'm sure there would be hell to pay for the person responsible. Prodigy is in a position to lose quite a bit if they were found to be illegally spying on their users (can you say "deep pockets"? -- IBM is the Grand Canyon of deep pockets...) It's inconceivable to me that they would be pursuing such a risky policy. jrbd ++++++++++++++++++++++++ Dear Dr. Pangloss The stage.dat file is created when you install the prodigy software by pulling random bits from your computer's memory and hard disk erased space. This methods is the fastest way to create an "empty" file. As you use the service, reusable service information is stored in the file, overwriting random data stored there initially. When the service can get information from your stage file, rather than from the modem, the service speed is improved. Thanks for writing +++++++++++++++++++++++++++++++++++++++++++ Comments: a. The original message was in upper case. b. Although the basic outline is probably correct, I somehow doubt that the setup sequence "pulls random bits from your computer's memory.". It's probably using what ever was in the area last. Not quite random. (And not a very nice way to write a program. Me, I'd initialize everything to 0's or 1's.) c. The moral is clear. Digital is forever. When you erase a file you don't erase anything, you just tell the system that it can reuse the space. Admiral Poindexter can testify to that. (And so can Peter Norton who's saved many a person's skin.) ******************************************************************** >> END OF THIS FILE << ***************************************************************************