I've been meaning to post this for a while, as it is a perfect illustration of the hazards of a system that gets too dependant on computer programs. In 1989, Mongomery Ward had a sale of "discontinued, one-of-a-kind, and out- of-date merchandise." A fellow I was dating, who was a Wards employee, told me the story of where it had come from. Around 1985, Wards had reprogrammed their master inventory program. Somehow, the entry for the major distribution warehouse in Redding, California, was left out. One day, the trucks simply stopped coming. Nothing was brought into the warehouse, and nothing left. Paychecks for the employees, however, which were on a different system, kept coming. While this was baffling to the employees, they figured it was better not to make waves. (Rumor has it that they were afraid the warehouse had been phased out, and they had "forgotten" to lay them off, and figured it was better to stay employed.) They went to work every day, and moved boxes around the warehouse, and submitted timecards, for three years, until someone doing an audit finally wondered why major amounts of merchandise had simply disappeared. Tracing things back, the missing warehouse was finally re-found. They were then stuck with an entire warehouse full of white elephants--- merchandise that was three years out of date. Thus, Wards stores throughout California ended up with major amounts of discontinued merchandise to sell at deep discounts. Wards, being majorly embarrassed, tried to downplay how the merchandise was "found." Or, more specifically, why it had become lost in the first place. The store employees got a big chuckle over the warehouse employees being afraid to mention this oversight to the higher-ups, for fear of becoming unemployed. Many references to "like jobs with the government." Of course, the question is: is this the only case like this? Are there more places where an operator entry glitch has caused some function to simply disappear? Things like this happen when live people are accidentally classed as "dead," etc. What happens if someone types the wrong thing, and the local branch of your bank, or MacDonalds, or whatever, simply ceases to exist, to the central computer? Jane Beckman [email@example.com]
Soon, ATMs May Take Your Photograph, Too, By Paul B. Carroll, Wall Street Journal, 25 April 1991, Page B1 (Technology) *Smile* when you use that automated teller machine. Miniature cameras may soon become widespread in ATMs and elsewhere. At Edinburgh University in Scotland, researchers have produced a single computer chip that incorporates all the circuitry needed for a video camera. Even with a lens that fits right on top of the chip, it's still just the size of a thumbnail. When they become available in a year or so, such cameras may carry as little as a $40 price tag. NCR thinks these tiny cameras could find their way into lots of ATMs in the next few years. The computer maker already sells ATMs that include cameras, allowing banks to doublecheck on people who contend their account was debited even though they didn't use an ATM that day. But those cameras are expensive, especially because the big box with the electronics has to be so far back in the ATM that it requires a long, elaborate lens. The lens also gives away to potential cheats the fact that the camera is there, whereas the new tiny cameras will just need a pinhole to peep through. "We see this as a breakthrough," says Greg Scott, an engineer with NCR in Dunfermline, Scotland. The Scottish Development Agency, which supplied some of the initial research funds, says the tiny cameras may also find their way into baby monitors, picture telephones, bar-code readers and robotic vision systems.
For years now, there has been a reasonable solution to the problem of "an old O/S" and network security: Install a newer, much improved O/S (WRT network security) _between_ the open network, and the "closed" community that uses the old O/S to process valuable information. If you REALLY want security, install a Honeywell SCOMP between the internet, and your local host, LAN, or whatever; at less cost, and more risk, install any C2 or better O/S host at that connection site. Then the would-be hacker has to penetrate something a bit better than the "standard out of the box" 5-pin lock that yields in *seconds*. Such a connection can be layered; e.g., one can put a "C2" host (such as a DEC VAX running VMS 5.x, with security options turned on) on the internet, as a MAIL host; then a "B2" (or better) system between that MAIL machine on the internet, and another MAIL machine on the local network; and even other "B2" (or better) nodes within the local net protecting the most "valuable" hosts on it. This is the electric analog to the fence around the base, the lock on the building door, the locked office, and the safe inside the office. The continuing reluctance of "management" (both "general" and "system") to adopt this (or other, better) solutions is perhaps one key to the continuing lack of security. Are we still "hung up" on the cost of hardware, versus cost of personnel time to chase intruders? Are we too proud to admit that we need to improve? Is the old aphorism right: "Never attribute to malice anything that can be explained by stupidity." Bob [The Honeywell SCOMP — still the only A1 evaluated system -- is now the Bull SCOMP.
By the way, to clear things up before the flaming starts, GEnie has recently clarified its user policies for acceptable behavior (in the wake of the Linda Kaplan affair, of which I'm trying to avoid speaking about). Their policy on email is quite clear — they say that junk mail, chain letters, offensive or libelous mail, etc etc are unacceptable — but they also make it perfectly clear that GEnie does not under any circumstances monitor or read email on their systems. They will investigate and deal with inappropriate mail ONLY after complaints from the recipients. Please don't start lumping GEnie and Prodigy together. They are like Night and Orange Juice. chuq (not attached to GEnie in any official way, although they do subsidize one of my GEnie accounts. Aren't disclaimers silly?) Chuq Von Rospach >=< firstname.lastname@example.org >=< GEnie:CHUQ or MAC.BIGOT >=< ALink:CHUQ SFWA Nebula Awards Reports Editor =+= Editor, OtherRealms Book Reviewer, Amazing Stories ---@--- #include <standard/disclaimer.h> Recommended: ORION IN THE DYING TIME Ben Bova (Tor, Aug, ***-); SACRED VISIONS Greeley&Cassutt (Tor, Aug, ****+); MEN AT WORK George Will (****); XENOCIDE Orson Scott Card (August, ****)
This is the summary of the WSJ article I get mailed to me on a daily basis. Interesting that Prodigy does NOT deny that it sends customer data to their host; ONLY that they DO NOT USE it. If they "haven't any interest in getting there" as the summary says, why are they spending their own money to get customer data in the first place? (Prodigy charges a lump fee for unlimited connect time, so they are absorbing the cost of sending this extra data.) Bill Biesty SUBJECT: WSJ DAILY EXTRACT 5/1/91 POSTED 05/01/91 16:09 FROM: EDS BULLETINS WALL STREET JOURNAL DAILY EXTRACT 05/01/91 The following "extracts" are taken from Wall Street Journal (WSJ) articles and are posted on the eMail Bulletin Board daily. Technical Resource Acquisition (TRA), assumes no responsibility for the accuracy of the extracts, which are simply provided as a service to those who do not have the time to read the WSJ. The extracts do not represent the opinion of EDS nor TRA, and are posted for informational purposes only. [...other summaries deleted...] o Subscribers to the popular Prodigy computer service are discovering an unsettling quirk about the system: It offers Prodigy's headquarters a peek into users' own private computer files. The quirk sends copies of random snippets of a PC's contents into some special files in the software Prodigy subscribers use to access the system. Those files are also accessible to Prodigy's central computers, which connect to users' PCs via phone lines. Prodigy, a joint venture of IBM and Sears, Roebuck & Co., offers nearly one million users electronic banking, games, mail and other services. The service's officials say they're aware of the software fluke. They also confirm that it could conceivably allow Prodigy employees to view those stray snippets of private files that creep into the Prodigy software. But they insist that Prodigy has never looked at those snippets and hasn't any intention of ever doing so. "We couldn't get to that information without a lot of work, and we haven't any interest in getting there," says Brian Ek, a Prodigy spokesman. Nevertheless, news of the odd security breach has been stirring alarm among Prodigy users. Many have been nervously checking their Prodigy software to see what snippets have crept into it, finding such sensitive data as lawyer-client notes, private phone-lists, and accountants' tax files. Even though Prodigy users' privacy doesn't appear to have been invaded, the software problem points up the security risks that can arise as the nation races to build vast networks linking PCs via telephone lines.
>It seems to me that there's nothing all that different between an e-mail >service and a phone company--except the format of the data being carried. There are actually a LOT of differences. Phone companies are regulated, quasi-governmental agencies with guaranteed monopolies where the regulating agency has build a set of regulations to make sure that the phone company doesn't take advantage of their monopoly. E-mail services are private businesses that are doing businesses with individuals in an unregulated industry. Now, you can argue that e-mail companies *OUGHT* to be regulated like phone companies — but they aren't, and to do so would require legislation (and probably court fights and other associated legal stuff). >but if a carrier offers a "conference call" service, I don't believe >that they can restrict anyone from using it, or from saying what they like in >the course of such a call. Sure they can. They are a company doing business. When you sign up with them, you make an agreement to do business with them within the guidelines that are set down in the agreement. If you abrograte that agreement (be it "not pay the bill" or "put the company in a situation of legal liability") then that company has the right to terminate the agreement. There is no guarantee of service. Even with the phone company, there is no guarantee of service — you don't believe me, go a few months without paying your bill and argue that you have a right to continue using your phone. >A sharp lawyer ought to be able to convince a judge or jury in a civil suit >(where a preponderance of evidence is all that is necessary to win) that >Prodigy and the others, in offering their e-mail and BBS services, are >operating as de-facto carriers for electronic communications. Sorry, I don't buy it. First, when you sign up for GEnie (and others), you sign an agreement which stipulates the services rendered and the responsibilities to both parties. What you're trying to do here is convince a judge/jury that the legal contract you signed is, in fact, not valid. Not likely to happen. Second, "de-facto carrier" is, to me, a non-statement. An entity is either a common carrier legally or it is not. If it is not a common carrier, it can be held liable for what YOU do on ITS computers. There's no defacto attached -- unless it is given real, legally binding (through legislation or legal precedent) common carrier status, a company HAS to have the right to refuse you service and monitor your behavior for appropriateness, becaus otherwise you are in a position of putting them in legal liability without them having any recourse to protect themselves. Sounds good — but your thoughts don't seem to be well thought out as to how things are in real life. Chuq
In the current issue of the Prodigy Star (newsletter sent out from Prodigy to users) there is a two page article from Harold Goldes (one of the Prodigy EXPerts) on computer viruses. While it is quite informative, the issue of online updating of executables/data is skated though one point seems clear - they do not guarentee that you will not get a virus from Prodigy, and if you do, it is your problem.
Prodigy recently ran an ad in DM News, a weekly direct marketing trade newspaper with the header "..But you can't miss with Prodigy Direct Mail." The ad is encouraging companies to use Prodigy for direct marketing and says in part, "Now, for the first time, marketers can deliver electronic mail to targeted segments of the PRODIGY service member file..." Prodigy service members are highly-responsive, highly-qualified prospects. They are young, well-educated, well-paid and well-traveled. And they're active users of the PRODIGY service, signing on 10 times a month on average, for about 20 minutes each time. Members' demographic data is merged with their PRODIGY service usage information to offer yo more than a dozen selections based on their interests and activities, such as personal finance, sports, computers, travel, etc.... PRODIGY Direct Mail offers you the most sophisticated application available of high-tech, high-touch direct-to-consumer marketing." Clearly they are looking over the shoulders of every user--a point that was also made in the recent NOVA show, "We Know Where You Live." Mary Culnan
Because of all the rumors flying around of Prodigy uploading data off of user's harddisks I decided to test if this was indeed happening. All of these rumors are based on the fact that the staging file (STAGE.DAT) Prodigy uses to buffer its screens on the harddisk sometimes is found to contain bits and pieces of user files and directories. Some users claim this proves Prodigy is uploading the data while others just say it is an artifact of the way that DOS allocates files and because Prodigy does not initialize the file when it is created. I devised and carried out the following experiment in order to test if this was happening. The results are: Prodigy does not appear to be uploading any data. The STAGE.DAT file contains bits and pieces of ERASED files. The experiment went as follows: 1) Re-installed Prodigy. I erased all of the files Prodigy had installed on my system. 2) Modified CONFIG.SYS and AUTOEXEC.BAT to remove all TSRs and have 0 DOS buffers. I removed the disk caching software I usually use. This was to prevent any leftovers in buffers or caches from showing up in STAGE.DAT and so that I could monitor what the harddisk was doing more easily. 3) Defragmented the harddisk so that all files were in contiguous blocks. 4) I ran CLEANDSK and CLEANEND to write zeroes over all the unused parts of the disk and over the unused ends of DOS files. 5) Powered the PC off and then on. All memory was therefore flushed and the minimal system with no buffers was in use. 6) I created several large (500k) files each containing a different pattern of characters. After all were created, I erased them. This was to test whether STAGE.DAT is picking up bits of erased files. 7) I installed Prodigy using a large buffer. This created a STAGE.DAT file that was just under 1 meg in size. 8) I browsed STAGE.DAT to see what was inside. The first 250k or so had interesting stuff and the other 750k was 0's. The interesting stuff was mostly buffered Prodigy windows (I could tell by the text that was mixed in) along with scattered pieces of one of the files I had created and deleted in step 7. This file made up about 100k of STAGE.DAT. and given where the data was I'd guess that the first 200k or so of STAGE.DAT had been overlaid on the disk where this file used to be. The *ONLY* non-Prodigy thing that I saw was a copy of my environment variables (COMPSEC, PATH, and PROMPT). I noted that the windows that were buffered were the "old" windows (Prodigy has changed many of its windows since I got my installation kit). 9) Made a copy of STAGE.DAT so that I could compare it with an updated copy after I signed on. 10) I again powered the PC off and on to clear all the memory. 11) I signed on Prodigy. While on I read some mail, sent some mail, read a few BBS appends, and looked at a couple of ads. Then I signed off. I noticed some things when I signed on. First of all, it took a looooong time. I surmised that all those "old" windows I had seen in STAGE.DAT were being updated. I carefully watched my modem lights and harddisk light (remember, I had no buffering). About 95% of the time (at least!) the modem was receiving data. At the end of each long receive (some were 4 or 5 seconds long) the hard disk would be used briefly and the modem transmit light would flicker on. Then there would be another long receive and etc. At no time was my modem transmitting for more than a fraction of a second. 12) Using a hex/ASCII file comparison tool I compared the contents of the STAGE.DAT that I had saved with the updated one after I logged off Prodigy. Many of the menus I had noticed the first time I looked were changed to the newer formats. Also, the sign off menus and some of the messaging menus had either overwritten some (but not all) of the data from the file I had created and deleted in step 7 or been added at the end of the 250k of initially used area in STAGE.DAT. STAGE.DAT now had about 280k of used area less perhaps 80-90k of data from the file in step 7. This experiment shows to me that all the stuff about Prodigy uploading files is rumors started by people ignorant of how DOS works. Some people said that they reinstalled Prodigy to see if that changed STAGE.DAT but they didn't defragment/zero out their disks first so their data is highly suspect. If they had watched their modem lights they would realize that almost no time is spent sending data to Prodigy when signing on but is almost all sent receiving it. If I were to run this again I would change step 7 to completely fill up the unused portion of my harddisk with the dummy files and then erase them all. My guess is that the 750k of space at the end of STAGE.DAT would then contain bits from those files. Later this week I think I'll try this and see. My set-up in case you're interested is: IBM PC-1 (the original) with an Intel Inboard/386, 40 meg harddisk, 2400 baud modem, DOS 3.2, and Prodigy 3.1 (which is the latest I believe). If you have any questions about the experiment I'm more than happy to answer them. Also, if you have suggestions for more things to try next time let me know. - Bill Seurer IBM: seurer+@rchland Prodigy: CNSX71A Rochester, MN Internet: email@example.com
Please report problems with the web pages to the maintainer