JZH1@MARISTB.BITNET (Craig W. Fisher) (01/10/90)
At a meeting yesterday some people made comments that some viruses have been found in shrink-wrapped diskettes. This did surprise me as we have been using a rule of thumb to stick to shrink wrapped software to help avoid viruses. What comments &/or advice do you have for this situation? Thanks, Craig PS: I almost typed shrink warpped...interesting freudian slip! Acknowledge-To: <JZH1@MARISTB>
odawa@apple.com (Michael Odawa) (01/12/90)
> we have been using a rule of thumb to stick to shrink wrapped software > to help avoid viruses. What comments &/or advice do you have for this > situation? Both shrinkwrapped and downloaded software sources have their advantages and risks of contamination. It is our belief that the important factor is not the distribution method by which you acquire your software which will protect you, but the integrity of your sources. While there have been some very serious and regrettable instances of viruses appearing in both shrink-wrapped and downloaded software, these are rare in comparison to the viral propagation that results from software that is "passed around." To achieve maximum protection you should (a) acquire software only from trusted sources, (b) scan and monitor your system for viral activity regularly, and (c) backup often and systematically. Michael Odawa Virus Task Force Software Development Council odawa@well.uucp
magik@chinet.chi.il.us (Ben Liberman) (01/12/90)
JZH1@MARISTB.BITNET (Craig W. Fisher) writes: >At a meeting yesterday some people made comments that some viruses >have been found in shrink-wrapped diskettes. This did surprise me as >we have been using a rule of thumb to stick to shrink wrapped software >to help avoid viruses. A problem that may show up with shrink warped (sic) software is that sometimes retailers will take back software from customers, and re-shrink warp it, at the store. If the customer tried the software out on an infected machine.... - -- ------------ ------------ ---------------------- Ben Liberman USENET magik@chinet.chi.il.us GEnie,Delphi MAGIK
fac2@dayton.saic.com (Earle Ake) (01/12/90)
JZH1@MARISTB.BITNET (Craig W. Fisher) writes: > At a meeting yesterday some people made comments that some viruses > have been found in shrink-wrapped diskettes. This did surprise me as > we have been using a rule of thumb to stick to shrink wrapped software > to help avoid viruses. What comments &/or advice do you have for this > situation? > Thanks, Craig If you have a virus on your system that reproduced your master diskette, that virus could infect the copy. If the store that re-sells your software takes off the shrink-wrap, tests the program and re-shrink-wraps it, there is a chance of a virus infecting it there. If someone buys a package, takes it home and discovers it will not work on his system and returns the software, the store re-shrink-wraps it and sells it for new. Yet another way to infect a disk even though it was sold 'shrink-wrapped'. Do we have to put all software in tamper-resistant packaging like Tylenol? If a store tries a package out so they can be able to tell customers how good it is, can they sell that diskette as new software still? Do we have to demand a no-returns policy on software? Hey, the customer might have a shrink-wrap machine available to them and would be able to shrink-wrap and return as new. Where do we draw the line? Shrink-wrap doesn't mean virus-free! _____________________________________________________________________________ ____ ____ ___ Earle Ake /___ /___/ / / Science Applications International Corporation ____// / / /__ Dayton, Ohio ----------------------------------------------------------------------------- Internet: fac2%dayton.saic.com@uunet.uu.net uucp: uunet!dayvb!fac2
spaf@cs.purdue.edu (Gene Spafford) (01/12/90)
Many large retailers (and some wholesalers) have shrinkwrap machines. They use these to rewrap packages of software that endusers may have purchased and then returned. They may also rewrap software packages that they have been using in-house as demo programs. They usually do not check the diskettes to see if they have been modified with a virus or other nasty. The purchaser usually has no way of knowing if the package they have just purchased has been rewrapped in this manner. Additionally, there have been some commercial distributions shipped with a virus on the diskettes. Usually, this contamination occurs in the stages where the diskette is formatted or copied, not when the master copy of the software is produced. That is, the machines doing the copying are infected and they introduce the infection when they copy the master version onto the diskette. Most software houses are now aware of this problems and they take greater care to protect the machines used to produce the distribution. Words of advice: Get in the habit of using virus scan programs on EVERY new diskette you add to your system. It will only take you a few extra minutes but may save you a great deal of trouble. Establishing the habit is very good practice. Keep a virus monitor (e.g., Gatekeeper, FluShot+) installed on your system and activated just in case. Point out to your retailer/wholesaler that should you ever buy a product from them with a virus on it, introduced because they have re-wrapped an infected product, they are liable for damages in a lawsuit. Encourage them to label any package so rewrapped -- then be extra careful when purchasing same. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
wlhadley@gmuvax.gmu.edu (WILLIAM HADLEY) (01/13/90)
Craig, When you buy software in a computer store that is shrink wrapped, it may not have always stayed in that condition before *you* bought that software. There are software stores (at least in the Washington, D.C. area) that will re-shrink wrap software packages when they are returned. For example, if someone bought a software package, took it home, and didn't like it. They could take it to the software store who would take the software back as long as the software still had the documentation AND the registration card. They would take the software and offer an exchange or refund and send the customer on his/her way. Then the store would take the software into the backroom and procede to re-shrink wrap the software and put it back on the shelf. I (as the customer) had an experience like this. I returned a piece of software that I was not what I thought. The store I bought it from was more than happy to assist me (keep the customer happy). They asked if everything that came in the box was there, which of course it was. Then the sales clerk SPECIFICALLY asked me if the registration card was in the box. Again, I assured him that everything was there. He explained that he had to ask about that because they were going to put it back on the shelf and re-sell the package. I asked if he could sell it without the shrink wrap on the box, to which he replied, "Nah, we have a shrink wrap machine in back" (not necessarily a direct quote). I thought about that, about specifically asking for the registration card. I could have pirated the software and sent in the card as though I *actually* paid for it. But then I thought a little bit more about the whole transaction. The clerk never looked in the box when I was standing there to see if everything was in it. After refunding my money, he took the box in back, wrapped it, and brought it back before I left the store. He could have looked while he was in back, but I don't think he did because he was not gone for very long. Also, he never asked to see a sales recipt. There was no price tag on the box (it was shrink wrapped when I bought it and the tag was stuck to the wrapping which I threw away) so he wouldn't have known for sure if I even bought it at his store - if I bought it at all. I could have stolen the software, pirated it and get *my* money back. Or I could have stolen the software, INFECTED it, and then get *my* money back. The store and the software company would have never known - neither would the unsuspecting customer who might have bought that software. **JUST FOR THE RECORD** I *did* pay for it, and I *did* have my sales recipt with me when I returned the software. I was *not* satisfied with the program. And, I did *not* pirate it and did *not* infect it with anything.
woody@rpp386.cactus.org (Woodrow Baker) (01/14/90)
I applogize for posting this here, but my mailer would not let me reply to someone who replied to a message I posted here. siia!drd: Postscript fonts are executable files. Like any other postscript program they have file access, and full unfettered access to the system. They are for the mostparts, encrypted, but the encryption and decryption algs are known. A malicious person could create a font program that could when run, delete all files off the hard disk, or more viciously, subtly alter existing fonts from say Adobe, or some other font company. They could be altered to do more than just print funny. They could clear the page, print messages over pages, corrupt the filesystem (very easy to do by the way, and in general create all manner of havoc. The posiblilty is very real. Cheers Woody
len@csd4.csd.uwm.edu (Leonard P Levine) (01/16/90)
Many vendors are now selling software on un-notched disks. My most recent copy of wordstar, my copy of spinrite and even one shareware product have come to me on disks that cannot be written to except with modified computer hardware. Such software can only be infected at the factory, and the probability of that is becoming increasingly small. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.cs.uwm.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. FAX (414) 229-6958 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
mlord@watmath.waterloo.edu (Mark Lord) (01/16/90)
fac2@dayton.saic.com (Earle Ake) writes: > If you have a virus on your system that reproduced your master >diskette, that virus could infect the copy. If the store that >re-sells your software takes off the shrink-wrap, tests the program >and re-shrink-wraps it, there is a chance of a virus infecting it >there. If someone buys a package, takes it home and discovers it will >not work on his system and returns the software, the store >re-shrink-wraps it and sells it for new. Yet another way to infect a >disk even though it was sold 'shrink-wrapped'. Do we have to put all >software in tamper-resistant packaging like Tylenol? If a store tries >a package out so they can be able to tell customers how good it is, >can they sell that diskette as new software still? Do we have to >demand a no-returns policy on software? Hey, the customer might have >a shrink-wrap machine available to them and would be able to >shrink-wrap and return as new. Where do we draw the line? Hmm.. the simple solution to most of these problems is to distribute software on diskettes without write-enable slots (ie. built-in write protection tabs). There is simply NO way, short of modifying hardware, for such diskettes to become virus infected on the customers premises. I'm actually quite suprised that 99% of the software I purchase comes *without* write protection tabs installed on the diskettes (5.25" floppies). I really have to force myself to install that critical tab *before* inserting the disk in *any* drive. This guarantees that I don't infect the masters. This whole deal with shrink-wrap and Tylenol-packaging for software is really a big scam in a lot of ways (IMHO). I mean, think about this.. the customer is expected to plop out (here in Canada, at least) between $60 and $200 for the most trivial of store-bought software, WITHOUT any guarantee of system compatibility (most people DO NOT have IBM/COMPAQ/TANDY machines.. face it!). In addition, if the program does not work, or demonstrates bugs, TOUGH NUGGIES.. no source code to fix and no replacements available. Would you buy anything else *new* under such outrageous conditions??? [other than software, of course] Where is Ralph Nader when we need him? Ooops. Wrong country. 'cuse me while I take a long dandelion break... - -- +----------------------------------------+----------------------------+ | Mark S. Lord | Hey, It's only MY opinion. | | ..!utgpu!bnr-vpa!bnr-fos!mlord%bmers58 | Feel free to have your own.| +----------------------------------------+----------------------------+
dmg@retina.mitre.org (David Gursky) (01/17/90)
Several people in Virus-L V3 #12 suggested that were vendors to distribute applications on write-locked media, the potential for vandalism by buying an application, infecting it, and return it, would be reduced. While that statement is broad enough to be true, I would suggest that the suggestion is far to easy for a vandal (and not even a very determined one at that) to get around, where 3.5" media is concerned. With 3.5" disks, a small hole can be covered by a moving tab, to indicate to the disk drive whether the disk is locked or not. Open is locked, closed is writable. If vendors disseminate applications on write-locked 3.5" media, all a vandal needs to do is cover the hole with a small piece of electrical tape. 5.25" media is more difficult to pull this stunt with. The presence of small notch in the side of the flexible case means the disk is writable. In order for a vandal to infect an application shipped on 5.25" media, the vandal would have to physically mar the case, which is a surer sign of tampering.
forags%nature.Berkeley.EDU@ucbvax.Berkeley.EDU (01/18/90)
Several writers have suggested that vendors distribute software on 5.25" diskettes without write-enable notches since evidence of tampering with such diskettes is fairly obvious. A sheet-metal notching tool cuts a very clean write-enable notch which can fool many users. Thus, I would suggest that vendors distributing software on diskettes without write-enable notches also add a warning ON THE DISKETTE LABEL stating that the diskette was manufactured without a write-enable notch and that the buyer should reject any diskette with a write enable notch cut in it. Al Stangenberger Dept. of Forestry & Resource Mgt. forags@violet.berkeley.edu 145 Mulford Hall - Univ. of Calif. uucp: ucbvax!ucbviolet!forags Berkeley, CA 94720 BITNET: FORAGS AT UCBVIOLE (415) 642-4424