Gentlemen, The following file was sent to me today, April 29th. I've read it twice and the
The following file was sent to me today, April 29th. I've read it
twice and then had to try it out myself just to see if it was true.
Whether it is a bug in the software, or a covert effort by Sears, IBM,
and Prodigy to *STEAL* private and personal information from your
computer, the fact remains that the STAGE.DAT file in the Prodigy
Subdirectory digs up all sorts of information that would be absolutely
meaningless to the operation of the software.
All appropriate disclaimers apply.
----------------------CUT HERE - ORIGINAL MESSAGE FOLLOWS----------------
Subject: Prodigy security warning
While some of the enclosed article from comp.dcom.telecom is the
usual bbs liver-chewing, the concerns about the STAGE.DAT file's
grabbing of disk data is pretty serious. If you have the Prodigy demo
kit or, heaven forbid, the real thing, what do you find when you look
in your STAGE.DAT file? -- Bob
### BEGIN BBS FILE ###
Name: George J Marengo #199 @6974
From: The Gangs of Vista (Southern California) 619-758-5920
The L. A. County District Attorney is formally investigating PRODIGY
for deceptive trade practices. I have spoken with the investigator
assigned (who called me just this morning, February 22, 1991).
We are free to announce the fact of the investigation. Anyone can
file a complaint. From anywhere.
The address is:
District Attorney's Office
Department of Consumer Protection
Attn: RICH GOLDSTEIN, Investigator
Hall of Records
Room 540 320 West Temple Street
Los Angeles, CA 90012
Rich doesn't want phone calls, he wants simple written statements
and copies (no originals) of any relevant documents attached. He will
call the individuals as needed, he doesn't want his phone ringing off
the hook, but you may call him if it is urgent at 1-213-974-3981.
PLEASE READ THIS SECTION EXTRA CAREFULLY. YOU NEED NOT BE IN
CALIFORNIA TO FILE!!
If any of us "locals" want to discuss this, call me at the Office
Numbers: (818) 989-2434; (213) 874-4044. Remember, the next time you
pay your property taxes, this is what you are supposed to be getting
... service. Flat rate? [laugh] BTW, THE COUNTY IS REPRESENTING THE
STATE OF CALIFORNIA. This ISN'T limited to L. A. County and complaints
are welcome from ANYWHERE in the Country or the world. The idea is
investigation of specific Code Sections and if a Nationwide Pattern is
shown, all the better.
LARRY ROSENBERG, ATTY
Prodigy: More of a Prodigy Than We Think?
By: Linda Houser Rohbough
The stigma that haunts child prodigies is that they are difficult to
get along with, mischievous and occasionally, just flat dangerous,
using innocence to trick us. I wonder if that label fits Prodigy, Sears
and IBM's telecommunications network?
Those of you who read my December article know that I was tipped off
at COMDEX to look at a Prodigy file, created when Prodigy is loaded
STAGE.DAT. I was told I would find in that file personal information
form my hard disk unrelated to Prodigy. As you know, I did find copies
of the source code to our product FastTrack, in STAGE.DAT. The fact
that they were there at all gave me the same feeling of violation as
the last time my home was broken into by burglars.
I invited you to look at your own STAGE.DAT file, if you're a
Prodigy user, and see if you found anything suspect. Since then I have
had numerous calls with reports of similar finds, everything from
private patient medical information to classified government
The danger is Prodigy is uploading STAGE.DAT and taking a look at
your private business. Why? My guess is marketing research, which is
expensive through legitimate channels, and unwelcomed by you and I. The
question now is: Is it on purpose, or a mistake? One caller theorizes
that it is a bug. He looked at STAGE.DAT with a piece of software he
wrote to look at the physical location of data on the hard disk, and
found that his STAGE.DAT file allocated 950,272 bytes of disk space for
Prodigy stored information about the sections viewed frequently and
the data needed to draw those screens in STAGE.DAT. Service would be
faster with information stored on the PC rather then the same
information being downloaded from Prodigy each time.
That's a viable theory because ASCII evidence of those screens shots
can be found in STAGE.DAT, along with AUTOEXEC.BAT and path
information. I am led to belive that the path and system configuration
(in RAM) are diddled with and then restored to previous settings upon
exit. So the theory goes, in allocating that disk space, Prodigy
accidently includes data left after an erasure (As you know, DOS does
not wipe clean the space that deleted files took on the hard disk, but
merely marked the space as vacant in the File Allocation Table.)
There are a couple of problems with this theory. One is that it
assumes that the space was all allocated at once, meaning all 950,272
bytes were absorbed at one time. That simply isn't true. My STAGE.DAT
was 250,000+ bytes after the first time I used Prodigy. The second
assumption is that Prodigy didn't want the personal information; it was
getting it accidently in uploading and downloading to and from
STAGE.DAT. The E-mail controversy with Prodigy throws doubt upon that.
The E-mail controversy started because people were finding mail they
sent with comments about Prodigy or the E-mail, especially negative
ones, didn't ever arrive. Now Prodigy is saying they don't actually
read the mail, they just have the computer scan it for key terms, and
delete those messages because they are responsible for what happens on
I received a call from someone from another user group who read our
newsletter and is very involved in telecommunications. He installed
and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg disk. Sure
enough, upon checking STAGE.DAT he discovered personal data from his
hard disk that could not have been left there after an erasure. He had
a very difficult time trying to get someone at Prodigy to talk to about
Excerpt of email on the above subject:
THERE'S A FILE ON THIS BOARD CALLED 'FRAUDIGY.ZIP' THAT I SUGGEST
ALL WHO USE THE PRODIGY SERVICE TAKE ***VERY*** SERIOUSLY. THE FILE
DESCRIBES HOW THE PRODIGY SERVICE SEEMS TO SCAN YOUR HARD DRIVE FOR
PERSONAL INFORMATION, DUMPS IT INTO A FILE IN THE PRODIGY SUB-DIRECTORY
CALLED 'STAGE.DAT' AND WHILE YOU'RE WAITING AND WAITING FOR THAT NEXT
MENU COME UP, THEY'RE UPLOADING YOUR STUFF AND LOOKING AT IT.
TODAY I WAS IN BABBAGES'S, ECHELON TALKING TO TIM WHEN A GENTLEMAN
WALKED IN, HEARD OUR DISCUSSION, AND PIPED IN THAT HE WAS A COLUMNIST
ON PRODIGY. HE SAID THAT THE INFO FOUND IN 'FRAUDIGY.ZIP' WAS INDEED
TRUE AND THAT IF YOU READ YOUR ON-LINE AGREEMENT CLOSELY, IT SAYS THAT
YOU SIGN ALL RIGHTS TO YOUR COMPUTER AND ITS CONTENTS TO PRODIGY, IBM &
SEARS WHEN YOU AGREE TO THE SERVICE. [****^****]
I TRIED THE TESTS SUGGESTED IN 'FRAUDIGY.ZIP' WITH A VIRGIN
'PRODIGY' KIT. I DID TWO INSTALLATIONS, ONE TO MY OFT USED HARD DRIVE
PARTITION, AND ONE ONTO A 1.2MB FLOPPY. ON THE FLOPPY VERSION, UPON
INSTALLATION (WITHOUT LOGGING ON), I FOUND THAT THE FILE 'STAGE.DAT'
CONTAINED A LISTING OF EVERY .BAT AND SETUP FILE CONTAINED IN MY 'C:'
DRIVE BOOT DIRECTORY. USING THE HARD DRIVE DIRECTORY OF PRODIGY THAT
WAS SET UP, I PROCEDED TO LOG ON. I LOGGED ON, CONSENTED TO THE
AGREEMENT, AND LOGGED OFF. REMEMBER, THIS WAS A VIRGIN SETUP KIT.
AFTER LOGGING OFF I LOOKED AT 'STAGE.DAT' AND 'CACHE.DAT' FOUND IN
THE PRODIGY SUBDIRECTORY. IN THOSE FILES, I FOUND POINTERS TO PERSONAL
NOTES THAT WERE BURIED THREE SUB-DIRECTORIES DOWN ON MY DRIVE, AND AT
THE END OF 'STAGE.DAT' WAS AN EXACT IMAGE COPY OF MY PC-DESKTOP
CHECK IT OUT FOR YOURSELF.
### END OF BBS FILE ###
I had my lawyer check his STAGE.DAT file and he found none other
than CONFIDENTIAL CLIENT INFO in it.
Needless to say he is no longer a Prodigy user.
Mark A. Emanuele V.P. Engineering Overleaf, Inc.
218 Summit Ave Fords, NJ 08863 (908) 738-8486
[Moderator's Note: Thanks very much for sending along this
fascinating report for the readers of TELECOM Digest. I've always said,
and still believe that the proprietors of any online computer service
have the right to run it any way they want -- even into the ground! --
and that users are free to stay or leave as they see fit. But it is
really disturbing to think that Prodigy has the nerve to ripoff private
stuff belonging to users, at least without telling them. But as I think
about it, *who* would sign up with that service if they had bothered to
read the service contract carefully and had the points in this article
explained in detail? PAT]
E-Mail Fredric L. Rice / The Skeptic Tank