To: David Walker Subject: comp.risks Prodigy postings Date: Tue, 30 Apr 91 20:24:13 -0700 From: Stephen D Franklin Resent-Date: Tue, 30 Apr 91 20:24:20 PDT Resent-From: David Walker Resent-To: DWalker@neptune.nts.uci.edu Here's what Paul was refering to. Having dug them out for me, I had to share them with someone who had not seen them. :-) -- sdf ---------------------------------------------------------------------- Date: Mon, 29 Apr 91 07:31:47 MST From: the terminal of Geoff Goodfellow Subject: Jerry Sweet: [comp.dcom.telecom: Prodigy and GEnie hate and rumors] ------- Forwarded Message Date: Sun, 28 Apr 91 22:44:01 MST From: Jerry Sweet Subject: [comp.dcom.telecom: Prodigy and GEnie hate and rumors] To: "Jerry's Clipping Service":;@fernwood.mpk.ca.us 3 items: - Prodigy or Fraudigy ??? - Prodigy Questions - GEnie Management Acting a la Prodigy Management? - ------- Forwarded Messages Date: 26 Apr 91 19:09:50 GMT From: overlf!emanuele@kb2ear.ampr.org (Mark A. Emanuele) Subject: Prodigy or Fraudigy ??? I just downloaded this from a local bbs and thought it might be interesting. ### BEGIN BBS FILE ### 218/250: Fraudigy Name: George J Marengo #199 @6974 From: The Gangs of Vista (Southern California) 619-758-5920 The L. A. County District Attorney is formally investigating PRODIGY for deceptive trade practices. I have spoken with the investigator assigned (who called me just this morning, February 22, 1991). We are free to announce the fact of the investigation. Anyone can file a complaint. From anywhere. The address is: District Attorney's Office Department of Consumer Protection Attn: RICH GOLDSTEIN, Investigator Hall of Records Room 540 320 West Temple Street Los Angeles, CA 90012 Rich doesn't want phone calls, he wants simple written statements and copies (no originals) of any relevant documents attached. He will call the individuals as needed, he doesn't want his phone ringing off the hook, but you may call him if it is urgent at 1-213-974-3981. PLEASE READ THIS SECTION EXTRA CAREFULLY. YOU NEED NOT BE IN CALIFORNIA TO FILE!! If any of us "locals" want to discuss this, call me at the Office Numbers: (818) 989-2434; (213) 874-4044. Remember, the next time you pay your property taxes, this is what you are supposed to be getting ... service. Flat rate? [laugh] BTW, THE COUNTY IS REPRESENTING THE STATE OF CALIFORNIA. This ISN'T limited to L. A. County and complaints are welcome from ANYWHERE in the Country or the world. The idea is investigation of specific Code Sections and if a Nationwide Pattern is shown, all the better. LARRY ROSENBERG, ATTY Prodigy: More of a Prodigy Than We Think? By: Linda Houser Rohbough The stigma that haunts child prodigies is that they are difficult to get along with, mischievous and occasionally, just flat dangerous, using innocence to trick us. I wonder if that label fits Prodigy, Sears and IBM's telecommunications network? Those of you who read my December article know that I was tipped off at COMDEX to look at a Prodigy file, created when Prodigy is loaded STAGE.DAT. I was told I would find in that file personal information form my hard disk unrelated to Prodigy. As you know, I did find copies of the source code to our product FastTrack, in STAGE.DAT. The fact that they were there at all gave me the same feeling of violation as the last time my home was broken into by burglars. I invited you to look at your own STAGE.DAT file, if you're a Prodigy user, and see if you found anything suspect. Since then I have had numerous calls with reports of similar finds, everything from private patient medical information to classified government information. The danger is Prodigy is uploading STAGE.DAT and taking a look at your private business. Why? My guess is marketing research, which is expensive through legitimate channels, and unwelcomed by you and I. The question now is: Is it on purpose, or a mistake? One caller theorizes that it is a bug. He looked at STAGE.DAT with a piece of software he wrote to look at the physical location of data on the hard disk, and found that his STAGE.DAT file allocated 950,272 bytes of disk space for storage. Prodigy stored information about the sections viewed frequently and the data needed to draw those screens in STAGE.DAT. Service would be faster with information stored on the PC rather then the same information being downloaded from Prodigy each time. That's a viable theory because ASCII evidence of those screens shots can be found in STAGE.DAT, along with AUTOEXEC.BAT and path information. I am led to belive that the path and system configuration (in RAM) are diddled with and then restored to previous settings upon exit. So the theory goes, in allocating that disk space, Prodigy accidently includes data left after an erasure (As you know, DOS does not wipe clean the space that deleted files took on the hard disk, but merely marked the space as vacant in the File Allocation Table.) There are a couple of problems with this theory. One is that it assumes that the space was all allocated at once, meaning all 950,272 bytes were absorbed at one time. That simply isn't true. My STAGE.DAT was 250,000+ bytes after the first time I used Prodigy. The second assumption is that Prodigy didn't want the personal information; it was getting it accidently in uploading and downloading to and from STAGE.DAT. The E-mail controversy with Prodigy throws doubt upon that. The E-mail controversy started because people were finding mail they sent with comments about Prodigy or the E-mail, especially negative ones, didn't ever arrive. Now Prodigy is saying they don't actually read the mail, they just have the computer scan it for key terms, and delete those messages because they are responsible for what happens on Prodigy. I received a call from someone from another user group who read our newsletter and is very involved in telecommunications. He installed and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg disk. Sure enough, upon checking STAGE.DAT he discovered personal data from his hard disk that could not have been left there after an erasure. He had a very difficult time trying to get someone at Prodigy to talk to about this. -------------- Excerpt of email on the above subject: THERE'S A FILE ON THIS BOARD CALLED 'FRAUDIGY.ZIP' THAT I SUGGEST ALL WHO USE THE PRODIGY SERVICE TAKE ***VERY*** SERIOUSLY. THE FILE DESCRIBES HOW THE PRODIGY SERVICE SEEMS TO SCAN YOUR HARD DRIVE FOR PERSONAL INFORMATION, DUMPS IT INTO A FILE IN THE PRODIGY SUB-DIRECTORY CALLED 'STAGE.DAT' AND WHILE YOU'RE WAITING AND WAITING FOR THAT NEXT MENU COME UP, THEY'RE UPLOADING YOUR STUFF AND LOOKING AT IT. TODAY I WAS IN BABBAGES'S, ECHELON TALKING TO TIM WHEN A GENTLEMAN WALKED IN, HEARD OUR DISCUSSION, AND PIPED IN THAT HE WAS A COLUMNIST ON PRODIGY. HE SAID THAT THE INFO FOUND IN 'FRAUDIGY.ZIP' WAS INDEED TRUE AND THAT IF YOU READ YOUR ON-LINE AGREEMENT CLOSELY, IT SAYS THAT YOU SIGN ALL RIGHTS TO YOUR COMPUTER AND ITS CONTENTS TO PRODIGY, IBM & SEARS WHEN YOU AGREE TO THE SERVICE. I TRIED THE TESTS SUGGESTED IN 'FRAUDIGY.ZIP' WITH A VIRGIN 'PRODIGY' KIT. I DID TWO INSTALLATIONS, ONE TO MY OFT USED HARD DRIVE PARTITION, AND ONE ONTO A 1.2MB FLOPPY. ON THE FLOPPY VERSION, UPON INSTALLATION (WITHOUT LOGGING ON), I FOUND THAT THE FILE 'STAGE.DAT' CONTAINED A LISTING OF EVERY .BAT AND SETUP FILE CONTAINED IN MY 'C:' DRIVE BOOT DIRECTORY. USING THE HARD DRIVE DIRECTORY OF PRODIGY THAT WAS SET UP, I PROCEDED TO LOG ON. I LOGGED ON, CONSENTED TO THE AGREEMENT, AND LOGGED OFF. REMEMBER, THIS WAS A VIRGIN SETUP KIT. AFTER LOGGING OFF I LOOKED AT 'STAGE.DAT' AND 'CACHE.DAT' FOUND IN THE PRODIGY SUBDIRECTORY. IN THOSE FILES, I FOUND POINTERS TO PERSONAL NOTES THAT WERE BURIED THREE SUB-DIRECTORIES DOWN ON MY DRIVE, AND AT THE END OF 'STAGE.DAT' WAS AN EXACT IMAGE COPY OF MY PC-DESKTOP APPOINTMENTS CALENDER. CHECK IT OUT FOR YOURSELF. ### END OF BBS FILE ### I had my lawyer check his STAGE.DAT file and he found none other than CONFIDENTIAL CLIENT INFO in it. Needless to say he is no longer a Prodigy user. Mark A. Emanuele V.P. Engineering Overleaf, Inc. 218 Summit Ave Fords, NJ 08863 (908) 738-8486 emanuele@overlf.UUCP [Moderator's Note: Thanks very much for sending along this fascinating report for the readers of TELECOM Digest. I've always said, and still believe that the proprietors of any online computer service have the right to run it any way they want -- even into the ground! -- and that users are free to stay or leave as they see fit. But it is really disturbing to think that Prodigy has the nerve to ripoff private stuff belonging to users, at least without telling them. But as I think about it, *who* would sign up with that service if they had bothered to read the service contract carefully and had the points in this article explained in detail? PAT] - ------- Message 2 Date: 27 Apr 91 19:53:00 GMT From: 0004133373@mcimail.com (Donald E. Kimberlin) Subject: Re: Prodigy Questions In article (Digest v11, iss303), Arnette P. Baker asks: > I am looking for information on Prodigy. I am looking into it because > my parents just bought a PC and are looking for things to do with it > ...question I have involves e-mail. Prodigy's interpretaion of what constitutes "mail," particularly e-mail, has been a particular point of discussion. It seems that from the perspective of a lot of the public, Prodigy wants to have its cake and eat it too, in that they CHARGE you for its delivery, and then CENSOR anything they don't like. Even the Postal Service doesn't look inside your envelope when you mail something, even though that may be something objectionable. We can. of course, understand an electronic bulletin board's System Operator reserving the right to delete items not in keeping with the Sysop's policies. But Prodigy seems to be trying to go a step further, charging you for more than a minimal amount of transmission, and heavily censoring what it transports. This might sound incredible, but the press report I saw at the peak of public outrage concerned Prodigy censoring a message in which a coin collector was asking about "Roosevelt dimes." When he asked the Prodigy staff why they deleted his mail, the unbelievably stupid retort was that "pro{oting personalities is prohibited." When he pressed about what "personality promotion" was involved with Roosevelt dimes, the more unbelievably stupid reason was, "Why, Roosevelt Dimes, the Chicago Bears football player, of course!" I have NOT made this story up. I wish I could recall the publication source to prove it. Incidents like this have caused suficient public outcry that Prodigy is under investigation, as summed up in the following snippet from , 4/22/91: "FAR FROM A PRODIGY" (Network World, April 15, p.4) Prodigy Services Co. is being investigated for possible criminal or civil violations stemming from its electronic-mail pricing and bulletin board editing policies. Users are complaining about the on-line service's recently established 25-cent price tag for every E-mail message after the first 30 allowed per month; they claim that Prodigy's policy pf deleting or editing controversial or obscene' (since when are Roosevelt dimes either controversial OR obscene?) "messages from bulletin boards violates the First Amendment. (DA Probes BBS Practices at Prodigy, by Barton Crockett)." My own opinion is that your parents would be best off to assert one of our few remaining rights, to just take that Prodigy kit and return it to Sears before they cancel the famous Sears money-bakc guarantee. There are plenty of other places to have both bbs recreation and to use "electronic mail" provided by responsible parties. Even MCIMail has a deal where your e-mail (of moderate length) costs only 25 cents per message, while it reaches a far wider range, including real business. And, oh. Compu$erve's "e-mail" to the outside world is really a port to MCIMail, so why not just open an MCIMail account and buy it direct, and cheaper? All you need to do to help is to get an easy-to-use comms program for their Sears-bought PS/1 (I recommend BOYAN as a very easy program for beginners to use, especially if you install it and enter the dialing directory numbers for them) and introduce them to the world of REAL bbs-ing. In fact, if you get onto a commercial e-mail service and request it of our Moderator, he can get the Digest delivered to DOS, MAC or what-have-you there daily! [Moderator's Note: This is correct. TELECOM Digest can be (and is!) delivered to almost every commercial email service in the world. Copies go to MCI Mail, ATT Mail, Telemail/Sprint Mail, Compuserve, Portal, and many others including the Telebox Mail system in Germany. All you have to do is provide me with a working path to get there. PAT] - ------- Message 3 Date: 26 Apr 91 13:56:00 GMT From: CRUZ_A@ccl2.eng.ohio-state.edu Subject: GEnie Management Acting a la Prodigy Management? Dear Telecom Readers: In the {MacWeek}, April 16th, 1991, Volume 5, Number 14 issue, there is a story about a user lockout in the GEnie on-line service: A Toronto couple requested an explanation of the online service's recent lockout of members who disagreed publicly with GEnie management. Linda Kaplan, a GEnie member for more than five years, had both her internal account and her paid account discontinued last month in what she described as a series of personality conflicts and escalating misunderstandings. She said that GEnie cancelled accounts not on the basis of rules being broken but just because someone lost their temper. Apparently, GEnie officials refused to comment on the matter but said that they would clarify their policies in the future. Ms. Kaplan had a paid account but she mainly used a systemwide free account designed to bring in more users. She said that some account holders were bound by the secret agreements forbidding them from criticizing GEnie, its sysops or executives. She added that friends who inquired about her absence from forums or who questioned management's handling of the incident either in on-line forums or private electronic mail found themselves drawn into the fray. When another long time user, Peter Pawlyschyn, contacted management and inquired about his rights on the service, he found himself censored and harassed. Other members have said that they were reduced to read-only status or had their accounts cancelled after simply mentioning Kaplan's name in postings. Soooooo, here we go again with the issue of censoring certain materials in large online systems. Or is it really an issue? ^^^^^^^^^^^^^^^^^^^^^^^^^ Alex Cruz Associate, Center for Advanced Study in Telecommunications Consultant, American Airlines Decision Technologies - ------- End of Forwarded Messages ------- End of Forwarded Message ------------------------------ Date: Tue, 30 Apr 91 10:24:00 N From: Herman J. Woltring Subject: Email, Privacy, and `small print' Sender: Biomechanics and Movement Science listserver Considering yesterday's issue of the RISKS-Forum Digest (volume 11, No. 56) on breach of privacy, email censoring, and improper `small print' in contract clauses, I am reposting part of my note of last February on public access to email facilities. [...] > Date: Sat, 23 Feb 91 11:10:00 N > Sender: Biomechanics and Movement Science listserver > From: Herman J. Woltring" > Subject: Public access to Internet etc. > > Dear Biomch-L readers, > > While email communication is usually available for free to account holders > on EARN/BITNET, Internet, etc., (log-on time, disk usage, paper output > typically being charged), it may be useful to mention that email access is > also becoming increasingly available through PC and modem facilities by > telephone [...; typically, number of transmitted bytes and/or logon time > being charged -- HJW]. > > Interestingly, one such service (PRODIGY) has been accused of censoring > email to and from its subscribers. Whether this allegation is true or > not, such issues do raise concern about freedom of opinion, free access > to information, and similar fundamental rights in a networking context, > especially if (with some justification, perhaps) `network harrassment' is > used as an argument to counter network `flaming'. As said at a previous > occasion: "verba volent, scripta manent" ... The allegations in RISKS-11.56 against Prodigy and GEnie, two commercial email service providers in North America, warrant considering the question whether it is about time that Postal legislation (i.e., postal services are not entitled to refuse, (unnecessarily) delay, read, or censor your mail, or to divert it from its destination without a proper court order) shall also apply to electronic mail, whether through private or public channels. I do not propose to have this topic as a debate on this list; however, I think that a pointer to the relevant debate is not out of place even on a discussion list like ours, and I shall be happy to consider any comments sent to me privately. I might mention in this respect that the Dutch legislative is currently considering a Computer Crime Bill in which unauthorized access to computers, e.g., by networking, is considered a felony, and that some of the proposals remind more of the U.K.'s Official Secrets Act than of the U.S.A.'s Freedom of Information Act. One heavily debated topic is to what extent computer trespassing will be declared a criminal offence if no appropriate security is provided by system management. If not, private (and public) interests can afford to neglect system security and yet call upon public authorities for free to protect their interests once they observe that their sloppyness has been `used'. This is unusual in Civil Law as any insurance company will be happy to point out, and not very compatible with the classical view that Criminal Law is the Ultimate Resort, `when all else fails'. Herman J. Woltring, Biomch-L co-moderator & (former) member, Study-committees on s/w & chips protection / Computer crime, Neth. Society for Computers and Law ------------------------------ Date: Tue, 30 Apr 91 09:43:47 EDT From: epstein%trwacs@uunet.UU.NET (Jeremy Epstein) Subject: Prodigy commentary I found the comments on Prodigy very enlightening. I'm glad I'm not a subscriber. However, I was very concerned by one comment: > I invited you to look at your own STAGE.DAT file, if you're a Prodigy >user, and see if you found anything suspect. Since then I have had numerous >calls with reports of similar finds, everything from private patient medical >information to classified government information. If you have classified government information on your PC, you should not be using it to call *anywhere* using *any* comm package. That's just good sense (and it may even be the law, I'm not sure). I'm certainly not defending Prodigy...if what was described is accurate, it certainly sounds like a mass invasion of privacy, theft, and some nice big lawsuits. Has any of this made it into the non-technical press (e.g., Wall Street Journal, NY Times, LA Times). Jeremy Epstein, Trusted X Research Group, TRW Systems Division, Fairfax VA +1 703/876-8776 epstein@trwacs.fp.trw.com ------------------------------ Date: 30 Apr 91 15:18:47 EDT (Tue) From: tneff@bfmny0.bfm.com (Tom Neff) Subject: Prodigy and STAGE.DAT strangeness The simplest explanation for private customer data appearing quasirandomly in the Prodigy STAGE.DAT file is that the access program may allocate buffers without clearing them, then write a comparatively little bit of binary data into them and flush to disk. The unused buffer areas still contain whatever was lying around in memory before Prodigy was started, and this "garbage" will end up on disk. This neither proves malfeasance or innocence on Prodigy's part; but, at worst, carelessness. Clearly their program *could*, if it wished, transmit your computer's entire memory and/or disk contents back home to the Prodigy host. And it could do so *without* storing anything in a file like STAGE.DAT! That's simply a RISK of accepting some black box piece of software in the mail and running it. "Run me," Alice? ------------------------------ Date: Tue, 30 Apr 91 11:32:55 PDT From: rhartman@thestepchild.esd.sgi.com (Robert Hartman) Subject: Re: Prodigy, etc. (RISKS-11.56) WRT the controversies over censoring e-mail and selectively denying service to customers who complain, there already are some laws that should be applicable. It seems to me that there's nothing all that different between an e-mail service and a phone company--except the format of the data being carried. The various phone and long-distance companies are common carriers, and governed by FCC rules. Am I wrong in thinking that a common carrier is not allowed to interfere with the communications they carry, and that they cannot easedrop without a court order? Now, broadcast mail may be open for public scrutiny and rebuttal, but if a carrier offers a "conference call" service, I don't believe that they can restrict anyone from using it, or from saying what they like in the course of such a call. Bulletin board postings seem to me to be analogous to conference calls in the same way that private e-mail messages are akin to private calls. A sharp lawyer ought to be able to convince a judge or jury in a civil suit (where a preponderance of evidence is all that is necessary to win) that Prodigy and the others, in offering their e-mail and BBS services, are operating as de-facto carriers for electronic communications. As such, they should be held accountable under the same rules as any other carrier, and liable for any breaches. Esp. when they are run by large corporations with legal staffs. They can't plead ignorance. I can't understand why they'd risk legal exposure in this way, not to mention the negative publicity of a trial! A risk in obtaining such a ruling would be that all BBS operators--at least those using the phone lines, might have to be licensed. But then, if there are enough of them who write enough letters to legislators, a new class of licenses for "amateur e-mail and BBS carriers" could be mandated. We could even make it an automatically-granted license, so long as there is no charge for the service. As far as the issue of Prodigy uploading private data goes, this sounds like a clear case of wire fraud to me. Wish I were the lawyer to get that case! Can you spell "class action?" I knew you could. Mr. and Mrs. Middle Class America will be mightily annoyed if this is true. ------------------------------ Newsgroups: comp.risks Subject: RISKS DIGEST 11.59 From: risks@CSL.SRI.COM (RISKS Forum) Date: 1 May 91 23:34:44 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Approved: risks@csl.sri.com Lines: 417 RISKS-LIST: RISKS-FORUM Digest Wednesday 1 May 1991 Volume 11 : Issue 59 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: "Losing" a Warehouse (Jane Beckman) Soon, ATMs May Take Your Photograph, Too (Paul B. Carroll via Michael W.Miller) Old O/S and Network Security (Bob Estell) Genie (Chuq Von Rospach) Prodigy Problem in Major Press (Bill Biesty) Re: Prodigy (Chuq Von Rospach, A. Padgett Peterson, Mary Culnan, Bill Seurer) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you cannot access "CRVAX.SRI.COM", try Internet address "128.18.10.1". ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. - ---------------------------------------------------------------------- Date: Wed, 1 May 91 16:14:52 PDT From: jane@stratus.swdc.stratus.com (Jane Beckman) Subject: "Losing" a Warehouse I've been meaning to post this for a while, as it is a perfect illustration of the hazards of a system that gets too dependant on computer programs. In 1989, Mongomery Ward had a sale of "discontinued, one-of-a-kind, and out- of-date merchandise." A fellow I was dating, who was a Wards employee, told me the story of where it had come from. Around 1985, Wards had reprogrammed their master inventory program. Somehow, the entry for the major distribution warehouse in Redding, California, was left out. One day, the trucks simply stopped coming. Nothing was brought into the warehouse, and nothing left. Paychecks for the employees, however, which were on a different system, kept coming. While this was baffling to the employees, they figured it was better not to make waves. (Rumor has it that they were afraid the warehouse had been phased out, and they had "forgotten" to lay them off, and figured it was better to stay employed.) They went to work every day, and moved boxes around the warehouse, and submitted timecards, for three years, until someone doing an audit finally wondered why major amounts of merchandise had simply disappeared. Tracing things back, the missing warehouse was finally re-found. They were then stuck with an entire warehouse full of white elephants--- merchandise that was three years out of date. Thus, Wards stores throughout California ended up with major amounts of discontinued merchandise to sell at deep discounts. Wards, being majorly embarrassed, tried to downplay how the merchandise was "found." Or, more specifically, why it had become lost in the first place. The store employees got a big chuckle over the warehouse employees being afraid to mention this oversight to the higher-ups, for fear of becoming unemployed. Many references to "like jobs with the government." Of course, the question is: is this the only case like this? Are there more places where an operator entry glitch has caused some function to simply disappear? Things like this happen when live people are accidentally classed as "dead," etc. What happens if someone types the wrong thing, and the local branch of your bank, or MacDonalds, or whatever, simply ceases to exist, to the central computer? Jane Beckman [jane@swdc.stratus.com] - ------------------------------ Date: Wed, 1 May 91 08:06:51 pdt From: mikeym@well.UUCP (Michael W. Miller) Subject: Soon, ATMs May Take Your Photograph, Too Soon, ATMs May Take Your Photograph, Too, By Paul B. Carroll, Wall Street Journal, 25 April 1991, Page B1 (Technology) *Smile* when you use that automated teller machine. Miniature cameras may soon become widespread in ATMs and elsewhere. At Edinburgh University in Scotland, researchers have produced a single computer chip that incorporates all the circuitry needed for a video camera. Even with a lens that fits right on top of the chip, it's still just the size of a thumbnail. When they become available in a year or so, such cameras may carry as little as a $40 price tag. NCR thinks these tiny cameras could find their way into lots of ATMs in the next few years. The computer maker already sells ATMs that include cameras, allowing banks to doublecheck on people who contend their account was debited even though they didn't use an ATM that day. But those cameras are expensive, especially because the big box with the electronics has to be so far back in the ATM that it requires a long, elaborate lens. The lens also gives away to potential cheats the fact that the camera is there, whereas the new tiny cameras will just need a pinhole to peep through. "We see this as a breakthrough," says Greg Scott, an engineer with NCR in Dunfermline, Scotland. The Scottish Development Agency, which supplied some of the initial research funds, says the tiny cameras may also find their way into baby monitors, picture telephones, bar-code readers and robotic vision systems. - ------------------------------ Date: 1 May 91 07:59:00 PDT From: "351M::ESTELL" Subject: Old O/S and Network Security For years now, there has been a reasonable solution to the problem of "an old O/S" and network security: Install a newer, much improved O/S (WRT network security) _between_ the open network, and the "closed" community that uses the old O/S to process valuable information. If you REALLY want security, install a Honeywell SCOMP between the internet, and your local host, LAN, or whatever; at less cost, and more risk, install any C2 or better O/S host at that connection site. Then the would-be hacker has to penetrate something a bit better than the "standard out of the box" 5-pin lock that yields in *seconds*. Such a connection can be layered; e.g., one can put a "C2" host (such as a DEC VAX running VMS 5.x, with security options turned on) on the internet, as a MAIL host; then a "B2" (or better) system between that MAIL machine on the internet, and another MAIL machine on the local network; and even other "B2" (or better) nodes within the local net protecting the most "valuable" hosts on it. This is the electric analog to the fence around the base, the lock on the building door, the locked office, and the safe inside the office. The continuing reluctance of "management" (both "general" and "system") to adopt this (or other, better) solutions is perhaps one key to the continuing lack of security. Are we still "hung up" on the cost of hardware, versus cost of personnel time to chase intruders? Are we too proud to admit that we need to improve? Is the old aphorism right: "Never attribute to malice anything that can be explained by stupidity." Bob [The Honeywell SCOMP -- still the only A1 evaluated system -- is now the Bull SCOMP. - ------------------------------ Date: 1 May 91 06:17:40 GMT From: chuq@Apple.COM (Chuq Von Rospach) Subject: Genie: (was Re: Email, Privacy, and `small print') By the way, to clear things up before the flaming starts, GEnie has recently clarified its user policies for acceptable behavior (in the wake of the Linda Kaplan affair, of which I'm trying to avoid speaking about). Their policy on email is quite clear -- they say that junk mail, chain letters, offensive or libelous mail, etc etc are unacceptable -- but they also make it perfectly clear that GEnie does not under any circumstances monitor or read email on their systems. They will investigate and deal with inappropriate mail ONLY after complaints from the recipients. Please don't start lumping GEnie and Prodigy together. They are like Night and Orange Juice. chuq (not attached to GEnie in any official way, although they do subsidize one of my GEnie accounts. Aren't disclaimers silly?) Chuq Von Rospach >=< chuq@apple.com >=< GEnie:CHUQ or MAC.BIGOT >=< ALink:CHUQ SFWA Nebula Awards Reports Editor =+= Editor, OtherRealms Book Reviewer, Amazing Stories ---@--- #include Recommended: ORION IN THE DYING TIME Ben Bova (Tor, Aug, ***-); SACRED VISIONS Greeley&Cassutt (Tor, Aug, ****+); MEN AT WORK George Will (****); XENOCIDE Orson Scott Card (August, ****) - ------------------------------ Date: Wed, 1 May 91 16:21:52 CDT From: wjb@edsr.UUCP (Bill J Biesty) Subject: Prodigy Problem in Major Press This is the summary of the WSJ article I get mailed to me on a daily basis. Interesting that Prodigy does NOT deny that it sends customer data to their host; ONLY that they DO NOT USE it. If they "haven't any interest in getting there" as the summary says, why are they spending their own money to get customer data in the first place? (Prodigy charges a lump fee for unlimited connect time, so they are absorbing the cost of sending this extra data.) Bill Biesty SUBJECT: WSJ DAILY EXTRACT 5/1/91 POSTED 05/01/91 16:09 FROM: EDS BULLETINS WALL STREET JOURNAL DAILY EXTRACT 05/01/91 The following "extracts" are taken from Wall Street Journal (WSJ) articles and are posted on the eMail Bulletin Board daily. Technical Resource Acquisition (TRA), assumes no responsibility for the accuracy of the extracts, which are simply provided as a service to those who do not have the time to read the WSJ. The extracts do not represent the opinion of EDS nor TRA, and are posted for informational purposes only. [...other summaries deleted...] o Subscribers to the popular Prodigy computer service are discovering an unsettling quirk about the system: It offers Prodigy's headquarters a peek into users' own private computer files. The quirk sends copies of random snippets of a PC's contents into some special files in the software Prodigy subscribers use to access the system. Those files are also accessible to Prodigy's central computers, which connect to users' PCs via phone lines. Prodigy, a joint venture of IBM and Sears, Roebuck & Co., offers nearly one million users electronic banking, games, mail and other services. The service's officials say they're aware of the software fluke. They also confirm that it could conceivably allow Prodigy employees to view those stray snippets of private files that creep into the Prodigy software. But they insist that Prodigy has never looked at those snippets and hasn't any intention of ever doing so. "We couldn't get to that information without a lot of work, and we haven't any interest in getting there," says Brian Ek, a Prodigy spokesman. Nevertheless, news of the odd security breach has been stirring alarm among Prodigy users. Many have been nervously checking their Prodigy software to see what snippets have crept into it, finding such sensitive data as lawyer-client notes, private phone-lists, and accountants' tax files. Even though Prodigy users' privacy doesn't appear to have been invaded, the software problem points up the security risks that can arise as the nation races to build vast networks linking PCs via telephone lines. - ------------------------------ Date: 1 May 91 06:32:03 GMT From: chuq@Apple.COM (Chuq Von Rospach, only here for the beer) Subject: Re: Prodigy, etc. (RISKS-11.56) >It seems to me that there's nothing all that different between an e-mail >service and a phone company--except the format of the data being carried. There are actually a LOT of differences. Phone companies are regulated, quasi-governmental agencies with guaranteed monopolies where the regulating agency has build a set of regulations to make sure that the phone company doesn't take advantage of their monopoly. E-mail services are private businesses that are doing businesses with individuals in an unregulated industry. Now, you can argue that e-mail companies *OUGHT* to be regulated like phone companies -- but they aren't, and to do so would require legislation (and probably court fights and other associated legal stuff). >but if a carrier offers a "conference call" service, I don't believe >that they can restrict anyone from using it, or from saying what they like in >the course of such a call. Sure they can. They are a company doing business. When you sign up with them, you make an agreement to do business with them within the guidelines that are set down in the agreement. If you abrograte that agreement (be it "not pay the bill" or "put the company in a situation of legal liability") then that company has the right to terminate the agreement. There is no guarantee of service. Even with the phone company, there is no guarantee of service -- you don't believe me, go a few months without paying your bill and argue that you have a right to continue using your phone. >A sharp lawyer ought to be able to convince a judge or jury in a civil suit >(where a preponderance of evidence is all that is necessary to win) that >Prodigy and the others, in offering their e-mail and BBS services, are >operating as de-facto carriers for electronic communications. Sorry, I don't buy it. First, when you sign up for GEnie (and others), you sign an agreement which stipulates the services rendered and the responsibilities to both parties. What you're trying to do here is convince a judge/jury that the legal contract you signed is, in fact, not valid. Not likely to happen. Second, "de-facto carrier" is, to me, a non-statement. An entity is either a common carrier legally or it is not. If it is not a common carrier, it can be held liable for what YOU do on ITS computers. There's no defacto attached -- unless it is given real, legally binding (through legislation or legal precedent) common carrier status, a company HAS to have the right to refuse you service and monitor your behavior for appropriateness, becaus otherwise you are in a position of putting them in legal liability without them having any recourse to protect themselves. Sounds good -- but your thoughts don't seem to be well thought out as to how things are in real life. Chuq - ------------------------------ Date: Wed, 1 May 91 12:03:26 -0400 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: PRODIGY In the current issue of the Prodigy Star (newsletter sent out from Prodigy to users) there is a two page article from Harold Goldes (one of the Prodigy EXPerts) on computer viruses. While it is quite informative, the issue of online updating of executables/data is skated though one point seems clear - they do not guarentee that you will not get a virus from Prodigy, and if you do, it is your problem. - ------------------------------ Date: 1 May 91 11:40:00 EDT From: "Mary Culnan" Subject: Prodigy Prodigy recently ran an ad in DM News, a weekly direct marketing trade newspaper with the header "..But you can't miss with Prodigy Direct Mail." The ad is encouraging companies to use Prodigy for direct marketing and says in part, "Now, for the first time, marketers can deliver electronic mail to targeted segments of the PRODIGY service member file..." Prodigy service members are highly-responsive, highly-qualified prospects. They are young, well-educated, well-paid and well-traveled. And they're active users of the PRODIGY service, signing on 10 times a month on average, for about 20 minutes each time. Members' demographic data is merged with their PRODIGY service usage information to offer yo more than a dozen selections based on their interests and activities, such as personal finance, sports, computers, travel, etc.... PRODIGY Direct Mail offers you the most sophisticated application available of high-tech, high-touch direct-to-consumer marketing." Clearly they are looking over the shoulders of every user--a point that was also made in the recent NOVA show, "We Know Where You Live." Mary Culnan - ------------------------------ Date: Wed, 1 May 1991 11:01:59 -0500 (CDT) From: Bill Seurer Subject: A Prodigy experiment Because of all the rumors flying around of Prodigy uploading data off of user's harddisks I decided to test if this was indeed happening. All of these rumors are based on the fact that the staging file (STAGE.DAT) Prodigy uses to buffer its screens on the harddisk sometimes is found to contain bits and pieces of user files and directories. Some users claim this proves Prodigy is uploading the data while others just say it is an artifact of the way that DOS allocates files and because Prodigy does not initialize the file when it is created. I devised and carried out the following experiment in order to test if this was happening. The results are: Prodigy does not appear to be uploading any data. The STAGE.DAT file contains bits and pieces of ERASED files. The experiment went as follows: 1) Re-installed Prodigy. I erased all of the files Prodigy had installed on my system. 2) Modified CONFIG.SYS and AUTOEXEC.BAT to remove all TSRs and have 0 DOS buffers. I removed the disk caching software I usually use. This was to prevent any leftovers in buffers or caches from showing up in STAGE.DAT and so that I could monitor what the harddisk was doing more easily. 3) Defragmented the harddisk so that all files were in contiguous blocks. 4) I ran CLEANDSK and CLEANEND to write zeroes over all the unused parts of the disk and over the unused ends of DOS files. 5) Powered the PC off and then on. All memory was therefore flushed and the minimal system with no buffers was in use. 6) I created several large (500k) files each containing a different pattern of characters. After all were created, I erased them. This was to test whether STAGE.DAT is picking up bits of erased files. 7) I installed Prodigy using a large buffer. This created a STAGE.DAT file that was just under 1 meg in size. 8) I browsed STAGE.DAT to see what was inside. The first 250k or so had interesting stuff and the other 750k was 0's. The interesting stuff was mostly buffered Prodigy windows (I could tell by the text that was mixed in) along with scattered pieces of one of the files I had created and deleted in step 7. This file made up about 100k of STAGE.DAT. and given where the data was I'd guess that the first 200k or so of STAGE.DAT had been overlaid on the disk where this file used to be. The *ONLY* non-Prodigy thing that I saw was a copy of my environment variables (COMPSEC, PATH, and PROMPT). I noted that the windows that were buffered were the "old" windows (Prodigy has changed many of its windows since I got my installation kit). 9) Made a copy of STAGE.DAT so that I could compare it with an updated copy after I signed on. 10) I again powered the PC off and on to clear all the memory. 11) I signed on Prodigy. While on I read some mail, sent some mail, read a few BBS appends, and looked at a couple of ads. Then I signed off. I noticed some things when I signed on. First of all, it took a looooong time. I surmised that all those "old" windows I had seen in STAGE.DAT were being updated. I carefully watched my modem lights and harddisk light (remember, I had no buffering). About 95% of the time (at least!) the modem was receiving data. At the end of each long receive (some were 4 or 5 seconds long) the hard disk would be used briefly and the modem transmit light would flicker on. Then there would be another long receive and etc. At no time was my modem transmitting for more than a fraction of a second. 12) Using a hex/ASCII file comparison tool I compared the contents of the STAGE.DAT that I had saved with the updated one after I logged off Prodigy. Many of the menus I had noticed the first time I looked were changed to the newer formats. Also, the sign off menus and some of the messaging menus had either overwritten some (but not all) of the data from the file I had created and deleted in step 7 or been added at the end of the 250k of initially used area in STAGE.DAT. STAGE.DAT now had about 280k of used area less perhaps 80-90k of data from the file in step 7. This experiment shows to me that all the stuff about Prodigy uploading files is rumors started by people ignorant of how DOS works. Some people said that they reinstalled Prodigy to see if that changed STAGE.DAT but they didn't defragment/zero out their disks first so their data is highly suspect. If they had watched their modem lights they would realize that almost no time is spent sending data to Prodigy when signing on but is almost all sent receiving it. If I were to run this again I would change step 7 to completely fill up the unused portion of my harddisk with the dummy files and then erase them all. My guess is that the 750k of space at the end of STAGE.DAT would then contain bits from those files. Later this week I think I'll try this and see. My set-up in case you're interested is: IBM PC-1 (the original) with an Intel Inboard/386, 40 meg harddisk, 2400 baud modem, DOS 3.2, and Prodigy 3.1 (which is the latest I believe). If you have any questions about the experiment I'm more than happy to answer them. Also, if you have suggestions for more things to try next time let me know. - Bill Seurer IBM: seurer+@rchland Prodigy: CNSX71A Rochester, MN Internet: seurer+@rchland.vnet.ibm.com - ------------------------------ End of RISKS-FORUM Digest 11.59 ************************ .