home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
cud3
/
cud316d.txt
< prev
next >
Wrap
Text File
|
1992-09-11
|
8KB
|
182 lines
------------------------------
From: "D.Baswell@adacp.com"
Subject: Comp.Org.Eff.Talk. comments on Prodigy FYI
Date: Sat, $ May 91 09:01:08 GMT
********************************************************************
*** CuD #3.16: File 4 of 6: Assorted Comments on Prodigy ***
********************************************************************
I find these posts from comp.org.eff.talk interesting. Hope you do
too.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(Begin Posts):
Subject: Re: Prodigy charged with invading users' privacy
Date: 1 May 91 05:17:34 GMT
Sender: usenet@pcserver2.naitc.com (News Poster for NNTP)
in article <1991Apr30.225133.8165@craycos.com> jrbd@craycos.com (James
Davies) writes:
>> I received a call from someone from another user group who read
>>our newsletter and is very involved in telecommunications. He
>>installed and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg
>>disk. Sure enough, upon checking STAGE.DAT he discovered personal data
>>from his hard disk that could not have been left there after an
>>erasure.
>
>Question: was he using an unused disk, or did he just reformat an old
>one, assuming that it would be wiped clean?
>
>Could some Prodigy user out there try this experiment again, this
>time using a verifiably empty disk? I get the feeling that this hasn't
>exactly been a controlled experiment so far...
Note one thing well:
All formats on a floppy disk ARE LOW LEVEL FORMATS. That is, all data is
physically erased, sector marks are rewritten, the whole works.
It is not possible on a DOS machine to issue a "FORMAT A:" and have any data
retained on the diskette from prior use.
Try it. You'll see that this is the case.
To do a controlled test, do the following:
1) Bulk erase and then format a floppy diskette. NO CHANCE of any
residual data on the disk surface after this.
2) Run a "cleandisk" program to write ZEROS to all unallocated areas of
the fixed disk in the machine. This will guarantee that all
unallocated areas, which may be used for scratch buffers, have no
data on them. The tail end of files are irrelevant -- that's an
ALLOCATED area and should not be touched by the software if it's
being "honest".
3) Install Prodigy on the floppy disk. Do not touch the hard drive,
or run any software from it. Work >only< on the floppy disk.
4) Call Prodigy. Spend an hour or two online. Give 'em plenty of time
to hose you if they're going to.
5) Sign off and look at STAGE.DAT on the floppy disk.
Alternately, after cleaning the disk, install the Prodigy software on the
fixed disk. DO NOT ACCESS ANY OTHER PROGRAMS OR DATA. Immediately run
Prodigy, dial in, and use it for a couple of hours.
Then check STAGE.DAT on the fixed disk.
Since you zeroed all unallocated areas on the drive before you began, there
is no way the STAGE.DAT file could have gotten private data in it unless the
software is scanning your fixed disk drive.
This should provide rather conclusive proof one way or the other.
I'm not a Prodigy subscriber, or I'd try this...
Subject: Re: Prodigy charged with invading users' privacy (was Re:
Date: 1 May 91 21:07:40 GMT
> zane@ddsw1.MCS.COM (Sameer Parekh) writes:
>
> Thank you for posting that. I had previously thought that Prodigy
>was simply a dumb service. Now I am committed to the education of people to
>stop using Prodigy. I will be writing an 'information sheet' which I will
>distribute so that we can educate those who are not on the net. I will post
>it here first so that I may get feedback on how it is.
> (I didn't hear about it from this post, a friend who obviously read
>this post told me about it.)
The evidence presented so far has been in a word "SHODDY". Before you go making
statements about this matter I would advise you to investigate more fully.
Telling people not to use this service because of a supposely found problem
that later turns out to be false opens the possibility of being sued for LIBEL.
You could be sued for loss of revenue for each and every user you convince to
discontinue or not use the service. This includes lost advertising revenue.
The "litmus" tests I have seen so far are invalid. They show a lack of
understanding of all the possible ways for this to happen (and there are many!)
The proper test should be:
wipe the hard disk clean -- i.e. low level reformat or wipedisk etc.
Note: This should be done to any and all disks, partitions, etc on the
system. (Or remove them)
2: insure all disks are clean!!
3: install test files to look for(if needed).
Do not delete anything. Do not use any disk compressor.
Just copy the files onto the disk.
4: POWER OFF the machine. Wait 10 min. (Yes, 10 MIN!)
5: Turn machine on and verify memory is clear.
Don't do anything except what is listed here. Especially don't go looking
at files. Don't do anything that might bring a file into memory or a disk
buffer.
6: install prodigy
7: run prodigy for a period of time (1 hour or so)
8: NOW check the STAGE.DAT file.
An even better test would to be to monitor the data being sent back to Prodigy.
Subject: Re: Prodigy charged with invading users' privacy
Date: 2 May 91 16:03:52 GMT
Now that there is some more reliable data on the STAGE.DAT "controversy",
I hope that everyone will settle down and stop accusing Prodigy of
spying on them. It appears that the "stolen personal data" in the
file was, as several people have speculated, just leftover pieces of
deleted files.
However, what nobody seemed to notice in all of this hysteria is that
Prodigy doesn't need to move data into STAGE.DAT in order to "steal" it.
They could just as easily have just directly snatched your client lists
and accounting records without buffering it to another file first (in fact,
a truly sneaky system would have done just that, I would say).
There is a lot of trust necessary to use any network software -- for all I
know, "rn" could be browsing through my files right this minute. However,
there is no reason for me to suspect this, and if it did happen and I
discovered it, I'm sure there would be hell to pay for the person responsible.
Prodigy is in a position to lose quite a bit if they were found to be
illegally spying on their users (can you say "deep pockets"? -- IBM is
the Grand Canyon of deep pockets...) It's inconceivable to me that they would
be pursuing such a risky policy.
jrbd
++++++++++++++++++++++++
Dear Dr. Pangloss
The stage.dat file is created when you install the prodigy software by
pulling random bits from your computer's memory and hard disk erased
space. This methods is the fastest way to create an "empty" file. As
you use the service, reusable service information is stored in the
file, overwriting random data stored there initially. When the
service can get information from your stage file, rather than from the
modem, the service speed is improved. Thanks for writing
+++++++++++++++++++++++++++++++++++++++++++
Comments:
a. The original message was in upper case.
b. Although the basic outline is probably correct, I somehow doubt
that the setup sequence "pulls random bits from your computer's
memory.". It's probably using what ever was in the area last.
Not quite random. (And not a very nice way to write a program.
Me, I'd initialize everything to 0's or 1's.)
c. The moral is clear. Digital is forever. When you erase a file
you don't erase anything, you just tell the system that it can
reuse the space. Admiral Poindexter can testify to that. (And so
can Peter Norton who's saved many a person's skin.)
********************************************************************
>> END OF THIS FILE <<
***************************************************************************
