dmg@retina.mitre.org (David Gursky) (01/16/90)
What is really most amazing about the problem of a potential vandal infecting
a commercial application, and returning it to an unsuspecting vendor is the
ease with which the vendor can detect the problem. Consider the following
scenario:
1 -- An application is returned to a vendor.
2 -- Proof of purchase is produced, vendor agrees to accept product, but does
not yet refund purchase price.
3 -- A second copy of the shrink-wrapped application is removed from the
shelf.
4 -- The disk(s) from the returned copy are then byte-by-byte compared against
the disk(s) in the shelf copy from step 3.
5 -- If no major changes are found (some users still run the applications
straight off the master disk, and some of those applications modify them-
selves in some minor fashion), the consumer's money is then (and only
then!) refunded.
If major problems are found, perhaps only a portion of the purchase price
is refunded, or none at all, depending on how the store wishes to actually
implement the procedure.
Likewise, an office that purchases multiple copies of an application can
perform a similar function on incoming shrink-wrapped software. A direct copy
(especially when done at a machine that is "clean") should be very effective
at uncovering vandalized software.haydon@nevada.edu (James P. Willey) (01/18/90)
dmg@retina.mitre.org (David Gursky) writes: >What is really most amazing about the problem of a potential vandal infecting >a commercial application, and returning it to an unsuspecting vendor is the >ease with which the vendor can detect the problem. Consider the following >scenario: I work at a small software store, and I noticed several problems with this scenario. >1 -- An application is returned to a vendor. Yes, unfortunately this does happen frequently. >2 -- Proof of purchase is produced, vendor agrees to accept product, but does > not yet refund purchase price. > >3 -- A second copy of the shrink-wrapped application is removed from the > shelf. Assuming, of course, that the store has another copy on the shelf. This would also waste a lot of time reshrink wrapping software. >4 -- The disk(s) from the returned copy are then byte-by-byte compared against > the disk(s) in the shelf copy from step 3. Assuming, of course, that the store has the computer that the software is for. At the store I work at, we carry IBM, Mac, and Apple, but we only have an IBM computer. Also, the store may only have 5.25 drives and the software in question is on 3.5 disks. The computers are also used for demo software in case someone wants to see it run before they but it. Checking every disk I agree that something should be done, but this isn't the answer for everyone. - ------------------------------------------------------------------------------- James P. Willey willey@arrakis.NEVADA.EDU Disclaimer: I'm now employed, but I'm responsible for my employers opinions, not vice versa.