****************************************************************************
                  >C O M P U T E R   U N D E R G R O U N D<
                                >D I G E S T<
              ***  Volume 3, Issue #3.16 (May 9, 1991)   **
  ****************************************************************************

MODERATORS:   Jim Thomas / Gordon Meyer  (TK0JUT2@NIU.bitnet)
ARCHIVISTS:   Bob Krause / Alex Smith / Bob Kusumoto
GAELIC GURU: Brendan Kehoe

            +++++     +++++     +++++     +++++     +++++

CONTENTS THIS ISSUE:
File 1: Moderator's Corner
File 2: Is Prodigy snooping thru your hard disk?
File 3: Prodigy under Fire
File 4: Comp.Org.Eff.Talk. comments on Prodigy FYI
File 5: Prodigy's Response to Stage.dat File
File 6: A Few Observation on Prodigy
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

USENET readers can currently receive CuD as alt.society.cu-digest.
Back issues are also available on Compuserve (in: DL0 of the IBMBBS sig),
PC-EXEC BBS (414-789-4210), and at 1:100/345 for those on FIDOnet.
Anonymous ftp sites: (1) ftp.cs.widener.edu (192.55.239.132);
                     (2) cudarch@chsun1.uchicago.edu;
                     (3) dagon.acc.stolaf.edu (130.71.192.18).
E-mail server: archive-server@chsun1.uchicago.edu.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may be reprinted as long as the source is
cited.  Some authors, however, do copyright their material, and those
authors should be contacted for reprint permission.  It is assumed
that non-personal mail to the moderators may be reprinted unless
otherwise specified. Readers are encouraged to submit reasoned
articles relating to the Computer Underground.  Articles are preferred
to short responses.  Please avoid quoting previous posts unless
absolutely necessary.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Contributors assume all
            responsibility for assuring that articles submitted do not
            violate copyright protections.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: Moderators
Subject: Moderator's Corner
Date: May 9, 1991

********************************************************************
***  CuD #3.16: File 1 of 6: Moderators Corner                   ***
********************************************************************

++++++++++++
Newmail Problems
++++++++++++

There appear to be mailer problems somewhere along the lines.  CuD
3.13 was re-sent because of some garbling problems; CuD 3.14 went out
of NIU with no problem and we received few bounces, but apparently
that issue was gobbled up and only a few received it.  A significant
number of 3.15s were returned because they could not sneak through a
particular gateway. If you are not receiving CuD within a few days of
the pub date in the header, let us know.

+++++++++++++
CuD's Old News
+++++++++++++

We are occasionally asked why we print "old news" that has been
circulated on the nets for awhile.  A recent Usenet survey of all
newsgroup use estimates that CuD reaches about 9,300 through usenet.
Relatively few sites (210) make CuD available to their users, so the
readers-per-site matches that of more-established on-line journals
such as RISKS and our progenitor TELECOM-DIGEST. In addition to a
mailing list of about 700, we immediately reach about 10,000 with each
posting.  However, we have about 30 additional non-usenet feeds, and
other readers obtain CuD from GEnie, Compuserve, and hundreds of BBSs,
including two of the largest in the country (PC-EXEC and AV-SYNC).  We
also send out various back issues to about a dozen people each month
who do not subscribe but simply want specific information.  This means
that, for perhaps one third of the readers, CuD may be the only source
of news, so what is "old" to most of us fills in gaps for others. We
try to assure that those without net access are provided with the
basics of stories covered in other digests (thus our policy of
reprinting old material) and hard-copy media.  Further, some of the
posts we print are sent to several other outlets simultaneously, and
sometimes hold these for a week or two prior to publishing.  For those
who find these stories stale, we apologize, but the feedback from
those who are, believe it or not, only now hearing about Sun Devil
indicates that, for better or worse, some dated coverage is necessary.
So, thanks for not complaining too much.

+++++++++++
Prodigy
+++++++++++

This issue focuses on the problems of Prodigy. As most know by now,
Prodigy was criticized last year for apparent censorship and what some
felt was high-handed treatment of customers complaining first about
Prodigy's billing practices, and next about Prodigy's response to
those who complained to other Prodigy users through E-mail. Another
problem has arisen. It seems that Prodigy's user-interface, Stage.dat,
appears to include bits of private data from users' other files.
Thanks to all those who have sent us material. We have selected the
most comprehensive to summarize the current brouhaha.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: The Moderators' <72307.1502@COMPUSERVE.COM>
Subject: Is Prodigy snooping thru your hard disk?
Date: 02 May 91 20:49:57 EDT

********************************************************************
***  CuD #3.16: File 2 of 6: Is Prodigy Snooping?                ***
********************************************************************

We recently received the following summary of an article that appeared
in the May 1, 1991 issue of the Wall Street Journal.  No further
citation was given.  As automated access programs become more popular
(eg: Compuserve's CIM and GEnie's Aladdin) this issue will become even
more worrisome.   Not only could your email be compromised, but it is
possible that such programs could inventory your hard drive, reporting
which applications you have installed, and their serial numbers.
Would an organization, such as the SPA, sponsor such a program?  Alas
there appears to be little (if anything) that would prevent them from
doing so.
++++++++++++++++++++++++++++++++++++++

Subscribers to the popular Prodigy computer service are discovering an
unsettling quirk about the system:  It offers Prodigy's headquarters a
peek into users' own private computer files.  The quirk sends copies
of random snippets of a PC's contents into some special files in the
software Prodigy subscribers use to access the system.  Those files
are also accessible to Prodigy's central computers, which connect to
users' PCs via phone lines.  The service's officials say they're aware
of the software fluke. [ We'd use a stronger word than 'fluke' here,
but we don't write for the WSJ - CuD ]  They also confirm that it
could conceivably allow Prodigy employees to view those stray snippets
of private files that creep into the Prodigy software.  But they
insist that Prodigy has never looked at those snippets and hasn't any
intention of ever doing so.  "We couldn't get to that information
without a lot of work, and we haven't any interest in getting there,"
says Brian Ek, a Prodigy spokesman. Nevertheless, news of the odd
security breach has been stirring alarm among Prodigy users.  Many
have been nervously checking their Prodigy software to see what
snippets have crept into it, finding such sensitive data as
lawyer-client notes, private phone-lists, and accountants' tax files.
Even though Prodigy users' privacy doesn't appear to have been
invaded, the software problem points up the security risks that can
arise as the nation races to build vast networks linking PCs via
telephone lines.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From:   Anonymous
Subject: Prodigy under Fire
Date:  Thu, 9 May 91 01:22:52 CDT

********************************************************************
***  CuD #3.16: File 3 of 6: Prodigy under Fire                  ***
********************************************************************

********************************************************************
********************************************************************

     News of the Earth           Global news and information
                           *     from electronic and print sources
           supplements   *   *   edited by
                           *     Regina P Knight, Geert K Marien
        ISSN 1052-2239           and John B Harlan

********************************************************************

       Subject:   Prodigy
Contributed by:   Donna B Harlan
                  Harlan@IUBACS / Harlan@UCS.Indiana.Edu

   News source:  Help-Net (BITNET/CREN/Internet Help Resource)
                   on ListServ@TempleVM
          Date:  Thu, 2 May 91 12:31:52 CST
Original title:  Prodigy
    and author:  Suzana Lisanti <LISANTI@MITVMA.BITNET>
         Notes:  This was forwarded from Help-Net to Roots-L
                   (Genealogy List) on ListServ@NDSUVM1


              *****  Start of forwarded material  *****

----------------------------Original message------------------------
I'm forwarding this message regarding Prodigy... I have no idea
if it's true or not...
------------------ Beginning of forwarded message -----------------
        The L. A. County District Attorney is formally investigating
PRODIGY for deceptive trade practices.  I have spoken with the
investigator assigned (who called me just this morning, February 22,
1991).

We are free to announce the fact of the investigation.  Anyone can
file a complaint.  From anywhere.

The address is:

District Attorney's Office
Department of Consumer Protection
Attn: RICH GOLDSTEIN, Investigator
Hall of Records   Room 540
320 West Temple Street
Los Angeles, CA 90012

Rich doesn't want phone calls, he wants simple written statements
and copies (no originals) of any relevant documents attached.  He
will call the individuals as needed, he doesn't want his phone
ringing off the hook, but you may call him if it is urgent at 1-213-
974-3981.

PLEASE READ THIS SECTION EXTRA CAREFULLY.  YOU NEED NOT BE IN
CALIFORNIA TO FILE!!

        If any of us "locals" want to discuss this, call me at the
Office Numbers: (818) 989-2434; (213) 874-4044.  Remember, the next
time you pay your property taxes, this is what you are supposed to
be getting ... service.  Flat rate?  [laugh] BTW, THE COUNTY IS
REPRESENTING THE STATE OF CALIFORNIA.  This ISN'T limited to L. A.
County and complaints are welcome from ANYWHERE in the Country or
the world. The idea is investigation of specific Code Sections and
if a Nationwide Pattern is shown, all the better.

LARRY ROSENBERG, ATTY

  Prodigy: More of a Prodigy Than We Think?
  By: Linda Houser Rohbough

     The stigma that haunts child prodigies is that they are
difficult to get along with, mischievous and occasionally, just flat
dangerous, using innocence to trick us. I wonder if that label fits
Prodigy, Sears and IBM's telecommunications network?

     Those of you who read my December article know that I was
tipped off at COMDEX to look at a Prodigy file, created when Prodigy
is loaded STAGE.DAT. I was told I would find in that file personal
information form my hard disk unrelated to Prodigy.  As you know, I
did find copies of the source code to our product FastTrack, in
STAGE.DAT. The fact that they were there at all gave me the same
feeling of violation as the last time my home was broken into by
burglars.

     I invited you to look at your own STAGE.DAT file, if you're a
Prodigy user, and see if you found anything suspect. Since then I
have had numerous calls with reports of similar finds, everything
from private patient medical information to classified government
information.

     The danger is Prodigy is uploading STAGE.DAT and taking a look
at your private business. Why? My guess is marketing research, which
is expensive through legitimate channels, and unwelcomed by you and
I.  The question now is: Is it on purpose, or a mistake?  One caller
theorizes that it is a bug. He looked at STAGE.DAT with a piece of
software he wrote to look at the physical location of data on the
hard disk, and found that his STAGE.DAT file allocated 950,272 bytes
of disk space for storage.

     Prodigy stored information about the sections viewed frequently
and the data needed to draw those screens in STAGE.DAT. Service
would be faster with information stored on the PC rather then the
same information being downloaded from Prodigy each time.

     That's a viable theory because ASCII evidence of those screens
shots can be found in STAGE.DAT, along with AUTOEXEC.BAT and path
information. I am led to belive that the path and system
configuration (in RAM) are diddled with and then restored to
previous settings upon exit. So the theory goes, in allocating that
disk space, Prodigy accidently includes data left after an erasure
(As you know, DOS does not wipe clean the space that deleted files
took on the hard disk, but merely marked the space as vacant in the
File Allocation Table.)

     I received a call from someone from another user group who read
our newsletter and is very involved in telecommunications.  He
installed and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg
disk. Sure enough, upon checking STAGE.DAT he discovered personal
data from his hard disk that could not have been left there after an
erasure. He had a very difficult time trying to get someone at
Prodigy to talk to about this.

                           --------------

Excerpt of email on the above subject:

THERE'S A FILE ON THIS BOARD CALLED 'FRAUDIGY.ZIP' THAT I SUGGEST
ALL WHO USE THE PRODIGY SERVICE TAKE ***VERY*** SERIOUSLY.  THE FILE
DESCRIBES HOW THE PRODIGY SERVICE SEEMS TO SCAN YOUR HARD DRIVE FOR
PERSONAL INFORMATION, DUMPS IT INTO A FILE IN THE PRODIGY
SUB-DIRECTORY CALLED 'STAGE.DAT' AND WHILE YOU'RE WAITING AND
WAITING FOR THAT NEXT MENU COME UP, THEY'RE UPLOADING YOUR STUFF AND
LOOKING AT IT.

     TODAY I WAS IN BABBAGES'S, ECHELON TALKING TO TIM WHEN A
GENTLEMAN WALKED IN, HEARD OUR DISCUSSION, AND PIPED IN THAT HE WAS
A COLUMNIST ON PRODIGY. HE SAID THAT THE INFO FOUND IN
'FRAUDIGY.ZIP' WAS INDEED TRUE AND THAT IF YOU READ YOUR ON-LINE
AGREEMENT CLOSELY, IT SAYS THAT YOU SIGN ALL RIGHTS TO YOUR COMPUTER
AND ITS CONTENTS TO PRODIGY, IBM & SEARS WHEN YOU AGREE TO THE
SERVICE.

     I TRIED THE TESTS SUGGESTED IN 'FRAUDIGY.ZIP' WITH A VIRGIN
'PRODIGY' KIT.  I DID TWO INSTALLATIONS, ONE TO MY OFT USED HARD
DRIVE PARTITION, AND ONE ONTO A 1.2MB FLOPPY.  ON THE FLOPPY
VERSION, UPON INSTALLATION (WITHOUT LOGGING ON), I FOUND THAT THE
FILE 'STAGE.DAT' CONTAINED A LISTING OF EVERY .BAT AND SETUP FILE
CONTAINED IN MY 'C:' DRIVE BOOT DIRECTORY.  USING THE HARD DRIVE
DIRECTORY OF PRODIGY THAT WAS SET UP, I PROCEDED TO LOG ON.  I
LOGGED ON, CONSENTED TO THE AGREEMENT, AND LOGGED OFF. REMEMBER,
THIS WAS A VIRGIN SETUP KIT.

     AFTER LOGGING OFF I LOOKED AT 'STAGE.DAT' AND 'CACHE.DAT' FOUND
IN THE PRODIGY SUBDIRECTORY.  IN THOSE FILES, I FOUND POINTERS TO
PERSONAL NOTES THAT WERE BURIED THREE SUB-DIRECTORIES DOWN ON MY
DRIVE, AND AT THE END OF 'STAGE.DAT' WAS AN EXACT IMAGE COPY OF MY
PC-DESKTOP APPOINTMENTS CALENDER.

     CHECK IT OUT FOR YOURSELF.

 ### END OF BBS FILE ###

I had my lawyer check his STAGE.DAT file and he found none other
than CONFIDENTIAL CLIENT INFO in it.

Needless to say he is no longer a Prodigy user.


Mark A. Emanuele   V.P. Engineering  Overleaf, Inc.
218 Summit Ave   Fords, NJ 08863   (908) 738-8486
emanuele@overlf.UUCP


               *****  End of forwarded material  *****


********************************************************************
                     Think globally, act locally
********************************************************************

   News of the Earth (ISSN 1052-2239) consists of three components

             NewsE-D  Distribution
                        Global news and information
                        from shortwave radio broadcasts
             NewsE-L  Letters
                        News and reaction from readers
             NewsE-S  Supplements
                        Global news and information
                        from electronic and print sources

           available separately by free subscription from
                      ListServ@IndyCMS  (CREN)
               ListServ@IndyCMS.IUPUI.Edu  (Internet)

********************************************************************

             News of the Earth supplements are edited by

      Regina P Knight:  RPKnight@USMCP6  (CREN)
       Geert K Marien:  GKMXU@CUNYVM  (CREN)
                        GKMXU@CUNYVM.CUNY.Edu  (Internet)
        John B Harlan:  IJBH200@IndyVAX  (CREN)
                        IJBH200@IndyVAX.IUPUI.Edu  (Internet)

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From:  "D.Baswell@adacp.com"
Subject: Comp.Org.Eff.Talk. comments on Prodigy FYI
Date:  Sat, $ May 91 09:01:08 GMT

********************************************************************
***  CuD #3.16: File 4 of 6: Assorted Comments on Prodigy        ***
********************************************************************

I find these posts from comp.org.eff.talk interesting. Hope you do
too.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(Begin Posts):

Subject: Re: Prodigy charged with invading users' privacy
Date: 1 May 91 05:17:34 GMT
Sender: usenet@pcserver2.naitc.com (News Poster for NNTP)

in article <1991Apr30.225133.8165@craycos.com> jrbd@craycos.com (James
Davies) writes:
>>     I received a call from someone from another user group who read
>>our newsletter and is very involved in telecommunications.  He
>>installed and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg
>>disk. Sure enough, upon checking STAGE.DAT he discovered personal data
>>from his hard disk that could not have been left there after an
>>erasure.
>
>Question: was he using an unused disk, or did he just reformat an old
>one, assuming that it would be wiped clean?
>
>Could some Prodigy user out there try this experiment again, this
>time using a verifiably empty disk?  I get the feeling that this hasn't
>exactly been a controlled experiment so far...

Note one thing well:

All formats on a floppy disk ARE LOW LEVEL FORMATS.  That is, all data is
physically erased, sector marks are rewritten, the whole works.

It is not possible on a DOS machine to issue a "FORMAT A:" and have any data
retained on the diskette from prior use.

Try it.  You'll see that this is the case.

To do a controlled test, do the following:

1) Bulk erase and then format a floppy diskette.  NO CHANCE of any
   residual data on the disk surface after this.

2) Run a "cleandisk" program to write ZEROS to all unallocated areas of
   the fixed disk in the machine.  This will guarantee that all
   unallocated areas, which may be used for scratch buffers, have no
   data on them.  The tail end of files are irrelevant -- that's an
   ALLOCATED area and should not be touched by the software if it's
   being "honest".

3) Install Prodigy on the floppy disk.  Do not touch the hard drive,
   or run any software from it.  Work >only< on the floppy disk.

4) Call Prodigy.  Spend an hour or two online.  Give 'em plenty of time
   to hose you if they're going to.

5) Sign off and look at STAGE.DAT on the floppy disk.

Alternately, after cleaning the disk, install the Prodigy software on the
fixed disk.  DO NOT ACCESS ANY OTHER PROGRAMS OR DATA.  Immediately run
Prodigy, dial in, and use it for a couple of hours.

Then check STAGE.DAT on the fixed disk.

Since you zeroed all unallocated areas on the drive before you began, there
is no way the STAGE.DAT file could have gotten private data in it unless the
software is scanning your fixed disk drive.

This should provide rather conclusive proof one way or the other.

I'm not a Prodigy subscriber, or I'd try this...

Subject: Re: Prodigy charged with invading users' privacy (was Re:
Date: 1 May 91 21:07:40 GMT

> zane@ddsw1.MCS.COM (Sameer Parekh) writes:
>
>  Thank you for posting that.  I had previously thought that Prodigy
>was simply a dumb service.  Now I am committed to the education of people to
>stop using Prodigy.  I will be writing an 'information sheet' which I will
>distribute so that we can educate those who are not on the net.  I will post
>it here first so that I may get feedback on how it is.
>  (I didn't hear about it from this post, a friend who obviously read
>this post told me about it.)

The evidence presented so far has been in a word "SHODDY". Before you go making
statements about this matter I would advise you to investigate more fully.
Telling people not to use this service because of a supposely found problem
that later turns out to be false opens the possibility of being sued for LIBEL.
You could be sued for loss of revenue for each and every user you convince to
discontinue or not use the service. This includes lost advertising revenue.

The "litmus" tests I have seen so far are invalid. They show a lack of
understanding of all the possible ways for this to happen (and there are many!)

The proper test should be:
 wipe the hard disk clean -- i.e. low level reformat or wipedisk etc.
    Note: This should be done to any and all disks, partitions, etc on the
          system. (Or remove them)
2: insure all disks are clean!!
3: install test files to look for(if needed).
    Do not delete anything. Do not use any disk compressor.
    Just copy the files onto the disk.
4: POWER OFF the machine. Wait 10 min. (Yes, 10 MIN!)
5: Turn machine on and verify memory is clear.
    Don't do anything except what is listed here. Especially don't go looking
    at files. Don't do anything that might bring a file into memory or a disk
    buffer.
6: install prodigy
7: run prodigy for a period of time (1 hour or so)
8: NOW check the STAGE.DAT file.

An even better test would to be to monitor the data being sent back to Prodigy.

Subject: Re: Prodigy charged with invading users' privacy
Date: 2 May 91 16:03:52 GMT

Now that there is some more reliable data on the STAGE.DAT "controversy",
I hope that everyone will settle down and stop accusing Prodigy of
spying on them.  It appears that the "stolen personal data" in the
file was, as several people have speculated, just leftover pieces of
deleted files.

However, what nobody seemed to notice in all of this hysteria is that
Prodigy doesn't need to move data into STAGE.DAT in order to "steal" it.
They could just as easily have just directly snatched your client lists
and accounting records without buffering it to another file first (in fact,
a truly sneaky system would have done just that, I would say).

There is a lot of trust necessary to use any network software -- for all I
know, "rn" could be browsing through my files right this minute.  However,
there is no reason for me to suspect this, and if it did happen and I
discovered it, I'm sure there would be hell to pay for the person responsible.

Prodigy is in a position to lose quite a bit if they were found to be
illegally spying on their users (can you say "deep pockets"? -- IBM is
the Grand Canyon of deep pockets...)  It's inconceivable to me that they would
be pursuing such a risky policy.

                  jrbd
++++++++++++++++++++++++

Dear Dr. Pangloss

The stage.dat file is created when you install the prodigy software by
pulling random bits from your computer's memory and hard disk erased
space.  This methods is the fastest way to create an "empty" file.  As
you use the service, reusable service information is stored in the
file, overwriting random data stored there initially.  When the
service can get information from your stage file, rather than from the
modem, the service speed is improved. Thanks for writing

+++++++++++++++++++++++++++++++++++++++++++

Comments:

a.  The original message was in upper case.

b.  Although the basic outline is probably correct, I somehow doubt
    that the setup sequence "pulls random bits from your computer's
    memory.".  It's probably using what ever was in the area last.
    Not quite random.  (And not a very nice way to write a program.
    Me, I'd initialize everything to 0's or 1's.)

c.  The moral is clear.  Digital is forever.  When you erase a file
    you don't erase anything, you just tell the system that it can
    reuse the space.  Admiral Poindexter can testify to that.  (And so
    can Peter Norton who's saved many a person's skin.)

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From:  FYI
Subject: Prodigy's Response to Stage.dat File
Date: May 5, 1991

********************************************************************
***  CuD #3.16: File 5 of 6: Prodigy's response to Stage.dat File***
********************************************************************

{Moderator's note: We received a number of copies of the following
response by Prodigy to the Stage.dat problem.}

 PRODIGY(R) interactive personal service        05/03/91       10:49 PM

              The Privacy of Member Information

 Some members have asked recently about the privacy of information
 they store on their personal computers, as it relates to their use of
 the PRODIGY service. I felt this subject was important enough to
 inform all our membership about it.

 Privacy of a member's personal information is of primary importance
 to us. We know that our members consider this kind of information
 proprietary, and so do we.

 A recent, unsubstantiated and incorrect newspaper report suggested
 that members' personal information--unrelated to their use of the
 PRODIGY service--is being transmitted to our host computers from our
 members' computers. This is simply not true. It never has been.

 We have no central computers that access private computer files. The
 PRODIGY service software does not read, collect, or transmit to the
 Prodigy Services Company any information or data that is not directly
 connected with your use of the service.

 Member privacy has always been a top priority for Prodigy.  Your use
 of the service can continue with the highest confidence that your
 personal data will not be accessed by us.

 Ted Papes
 President, Prodigy Services Company
 May 2, 1991

 You may have recently read about data from other files appearing
 inside the STAGE. This is a harmless side effect of DOS file
 operations and the process by which the PRODIGY STAGE is created. On
 the following screens you'll find a discussion of your STAGE.DAT
 file.

 If you're interested in the details, please read on. I think you'll
 be more comfortable once you've read the facts.

                              Harold Goldes (CBXH97A)
                              Technical Editor, PRODIGY Star


 used by the STAGE has prompted some to speculate that PRODIGY can gain
 access to that information or other information on a member's hard
 disk. Here are the facts:

    The PRODIGY software does not examine a member's hard disk as a
    whole. It does not read files created by other software. It does
    not read data other than its own. It does not upload files to do
    this. The PRODIGY software confines its file operations to a
    limited and well defined section of your disk: The PRODIGY
    directory.

 When you install the PRODIGY software on your computer we create a
 unique file on your floppy or hard disk:  STAGE.DAT. The STAGE (or
 STAGE.DAT as it appears in your directory or folder) is a "container".
 What does it hold?

 The STAGE contains frequently used information and instructions that
 make up PRODIGY applications ("applications" refers to the individual
 activities available to you on the service; FIND and the Movie Guide,
 are examples).

 Placing portions of applications on the STAGE (and not in other more
 remote parts of our network) puts them close to you. Without a storage
 structure like the STAGE, key components of an application would be
 sent to your computer whenever you visited the application.  This adds
 transmission time. Placing them on your computer saves time. When you
 install the DOS version of the PRODIGY software, you have the choice
 of creating the STAGE in a range of sizes from about 160Kb to 950Kb.
 For Macintosh users there is one size: 200,064 bytes.

 If a member installs to a floppy disk(s), the STAGE may vary in size.
 These intermediate sizes depend on several factors including the
 capacity of the disk and the version of DOS. Once it's been created,
 the STAGE never changes its size. But the date and time stamp on the
 STAGE does change and is updated at the end of every PRODIGY session.
 This reflects the fact that during your session we read PRODIGY
 content from it and write updated PRODIGY content to it.  To improve
 performance during your session, certain frequently used parts of the
 service are always "staged". A larger STAGE, should you choose one,
 permits a growing inventory of applications to reside on your
 computer.  Because our software adapts itself to you, some of the
 content you use regularly can become staged.

 Whenever and wherever you logon to the Prodigy service, we check to
 see if you've got the latest versions of a variety of programs and
 data that reside in the STAGE. If not we send you what you need. You
 don't have to ask for new disks. And you don't have to reinstall.

 Some members use RAMdisks to improve performance. A RAMdisk is a "disk
 drive" made from memory (RAM) not from mechanical parts. It's faster
 than its physical counterpart but can more easily lose data.  For that
 reason we don't recommend using a RAMdisk.  However here's something
 to keep in mind if you're going to do it anyway. A RAMdisk is
 volatile. If you turn your machine off, the information stored on the
 RAMdisk evaporates. As you may be receiving an update each time you
 sign on, be sure to save the updates. To do this, copy the file named
 STAGE.DAT back to your PRODIGY directory before you hit that switch.

 Members often ask about the need to update the PRODIGY software on
 their PRODIGY installation disks. There is no need to update the
 original installation disks. Use those disks (or backup copies) to
 install the software on any computer you use to sign on to the PRODIGY
 Service. Then, when you sign on for the first time, the service will
 automatically update the PRODIGY software.

 Suppose you have two computers and use them both to access the
 service. Let's say you use one more frequently than the other.  Each
 of your computers will get updates, if needed, when you use them. The
 machine used most frequently will be updated steadily (almost
 imperceptibly) by increments. When you use the other machine, you
 might notice a delay during logon because it's receiving a greater
 amount of updated information all at once.

 There's a practical limit to the kinds of changes we can make
 automatically to an existing version of the software.  If you've ever
 tried adding air conditioning to a car you bought without it, you'll
 understand this; sometimes it's best to start over with the really
 useful options built in.  So over time when we make extensive
 improvements to the PRODIGY software, we may send you a new set of
 disks.  From time to time members using the DOS version of the PRODIGY
 software see information from "other" (non-PRODIGY) applications in
 the disk space used by STAGE.DAT.

 Data from non-PRODIGY files is never actually part of STAGE.DAT. More
 importantly it is never accessed or uploaded by the PRODIGY software.
 There are two ways in which extraneous data can appear in the STAGE.
 In the first case, the data was originally located in areas of the
 hard disk once used by other software. At one point in the past, this
 data was erased.

 When you erase a file, PC-DOS or MS-DOS (the operating system for
 personal computers) does not remove the file's contents from your
 disk. Instead it only marks the space used by the file as now
 "available for use". In doing this, it gives other software permission
 to reuse that space.  Until that space is used by its new owner, the
 old data remains. This is why certain "unerase" software packages can
 recover accidentally deleted files.  When you install the PRODIGY
 software, it asks DOS to supply disk space for the STAGE.DAT file.
 Depending on the size of the STAGE you choose, this is usually a
 request for anywhere between 160Kb to 1 Mb.

 DOS then checks its inventory of available disk sectors, finds the
 space and reserves it for its new owner:  STAGE.DAT. But DOS leaves
 any old data in that space intact. Please keep in mind that DOS simply
 supplies the sectors we request (as long as they are available) and
 does not touch their original contents. Next, our install program
 starts filling the space with blocks of PRODIGY information. The
 PRODIGY install program does not erase any old data because to do so
 would appreciably lengthen the install process. As a result, old
 "erased" data may appear in unused space following the blocks (where
 it's more noticeable) as well as in smaller areas that occur within
 the blocks (for more on this see "HOW WE USE SPACE" below).  If you
 chose a large STAGE (anything from 250Kb to 950Kb), chances are that
 at first, a portion of it will be unused.  It is likely that some of
 the space within that unused portion was used by other software at one
 time. If so what you'll see if you examine that area will be
 "leftovers".  Over time, the PRODIGY software will write blocks of
 information to the STAGE replacing whatever is there.  Please keep in
 mind that the PRODIGY software can only recognize the blocks of
 information that it puts into STAGE.DAT itself. It does not read,
 collect, process or transmit "non-PRODIGY data". All disk space
 containing such data is treated as empty.

 Like most major software, to ensure compatibility and reliability when
 creating, reading and writing files, the PRODIGY software employs
 standard "services" provided by your computer's operating system. By
 viewing the STAGE with certain software tools, members have observed
 information from non-PRODIGY applications. However the PRODIGY
 software can neither see this information nor use it. To the PRODIGY
 software this space is considered "empty" and available for storing
 PRODIGY data. Over time, as you use the service, this "empty" space is
 covered by PRODIGY content.

 When we store data in the STAGE, we do it via DOS in blocks of a
 specific size. Let's say that size is 100 bytes. If we store a 120
 byte "object" then we use two blocks (or 200 bytes of storage). What
 we store takes up all of the first block but only 20 bytes of the
 second block. What happens to the remaining 80 bytes of the second
 block? Whatever was there originally remains. If that block was built
 on a previously used sector, 80 bytes of "old" data will be seen.

 There's a second way in which extraneous data may appear within the
 disk space used by the STAGE. When the STAGE is being created, certain
 "control" areas may incorporate information that was in your
 computer's memory (RAM). These areas are used by the STAGE itself to
 keep track of its own contents. This extraneous data may include
 non-erased data or data from another disk. You may observe the names
 of directories, your PATH, or information from the software you were
 using just before you installed the PRODIGY software. To minimize the
 occurrence of this data within the STAGE, just turn your PC off, wait
 15 seconds then turn it on again before installing the PRODIGY
 software.  In short, extraneous information can appear in the disk
 space used by the STAGE and yet not actually be part of it.  The
 appearance of this "non-PRODIGY data" is a side effect of DOS file
 operations or the process by which the STAGE is created.  But, like a
 bottle containing oil and water, this disk space STAGE can contain
 both PRODIGY and non-PRODIGY data which are different and remain
 separate.

 The PRODIGY software does not read information created by other
 software. And it does not read data other than its own. Nevertheless
 some members have tried to delete non-PRODIGY data from the STAGE by
 using file editors.  Modifying the contents of the STAGE file will do
 more harm than good. To maintain the integrity of the STAGE, we use
 special techniques that detect alteration of its contents.  Changing
 the contents of the STAGE with a software tool (like an editor) will
 render the STAGE unusable. You'll have to reinstall the PRODIGY
 software. For those members who are concerned by even the appearance
 of extraneous data within the STAGE, we are preparing a utility to
 eliminate non-PRODIGY data from the STAGE.

 No extraneous information appearing within the disk space used by
 STAGE.DAT is known to or used by PRODIGY.

 The only information used by the PRODIGY software is what is needed
 for the installation and operation of the software.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: Moderators
Subject: A Few Observations on Prodigy
Date: 8 May, 1991

********************************************************************
***  CuD #3.16: File 6 of 6: A Few Observations on Prodigy       ***
********************************************************************


Prodigy customers can decide for themselves whether they are satisfied
with the service, and the internal policies of a commercial system are
normally of little direct CU interest.  Here, however, we see at least
two issues that potentially touch the rest of us.

First, whatever the inadequacy of Prodigy's software or the tarnish on
their public image, the stage.dat case raises the same issues that
"hackers" have been raising for over a year.  The legitimate concerns
of users regarding the potential danger to privacy seem over-ridden by
the same hysteria and "lynch mob" mentality that has accompanied law
enforcement attention to the CU. Prodigy may not be the most
sympathetic of victims, but they seem to be victimized by the same
excesses, this time from the private sector, as other individuals
received from law enforcement.  Prodigy management may not handle its
crises well, but this is not a crime, and using a flaw in a program to
impute broader motives reminds us of how prosecutors distorted the
significance of the E911 files, how AT&T fabricated the value of
"losses," or how prosecutors creatively misconstrued facts or legal
language to finagle a version of reality to their liking.

A second issue, one more chilling, was raised by Emmanuel Goldstein of
2600 Magazine. If user-interface software can access information ona
hard drive, consider this scenario: A serial killer is suspected of
being a computerophile. A "psychological profile" has narrowed down
possible suspects who may have an account on a system (like Prodigy)
that essentially takes temporary control of a system while the user is
logged on.  Under existing law, can investigators use such such
systems to "invade" the hard drives of suspects looking for potential
evidence? And, if so, how can this evidence be used? Now, substitute
"serial killer" for "hacker," "pirate," or "marijuana user."

Take another example. If the Secret Service engages in video taping of
the kind it did in Summercon '88 without significant public outcry,
how hard would it be to engage in comparable monitoring of "suspects"
hard drives? We have seen from Sun Devil and other operations (eg,
Steve Jackson Games) how easily search or seizure affidavits can
distort "reality." A year ago we would have thought the possibility of
hard drive snooping absurd.  But, we also would have disbelieved that
the SS would poke holes in motel rooms to video tape 15 hours of
people eating pizza and drinking beer.

The crucial question of Prodigy's stage.dat is not an individual
company's policies, but rather the ability for such programs to be
used by those with the power to abuse it.

********************************************************************

********************************************************************

------------------------------

                         **END OF CuD #3.16**
********************************************************************