WHMurray@DOCKMASTER.ARPA (01/15/90)
>At a meeting yesterday some people made comments that some viruses >have ben found in shrink-wrapped diskettes. This did surprise me as >we have been using a rule of thumb to stick to shrink wrapped software >to help avoid viruses. What comments &/or advice do you have for this >situation? > Thanks, Craig Shrink wrapping is a form of encapsulation that reduces the risk that software will be contaminated and increases the probability that tampering will leave evidence. The vendor of software has an interest in an orderly market place and in the reputation of his product. If you have evidence that the product has not been tampered with since the vendor shipped it, then you may rely, in part upon his interests. Shrink-wrap that is applied by the vendor would help to serve that purpose. However, few original vendors use labelled shrink-wrap and many distributors and retailers can apply shrink wrap. Since much software is poorly labelled, since it is hard to demonstrate, and generally difficult to buy, Many retailers have adopted a "Trial/Return" policy. Under this policy a purchaser is permitted to return software for a full refund within a limited period of time. The retailer re-wraps the software and returns it to the shelf. Most such retailers are simply naive, a few are irresponsible. The risk to the retailer is that the "purchaser" will simply make a copy of the software and return the original media and documentation to the retailer. However, the retailer can measure this risk. The risk to subsequent purchasers of the used package is that the media was contaminated before it was returned. This risk is harder to measure and is not to the person making the decisions. Vendors can help by using labelled shrink-wrap. To the extent that users come to expect such labelling, the re-wrap strategy becomes less effective and efficient for the retailer. Users can protect themselves and discourage this risky practice by refusing to deal with retailers that offer them the right to return. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
SPBK09@SDNET.BITNET (Brian Piersel) (01/15/90)
On Sun, 14 Jan 90 18:02:00 -0500 <WHMurray@DOCKMASTER.ARPA> said: >Vendors can help by using labelled shrink-wrap. To the extent that >users come to expect such labelling, the re-wrap strategy becomes less >effective and efficient for the retailer. Users can protect themselves >and discourage this risky practice by refusing to deal with retailers >that offer them the right to return. Another way vendors can help is to sell software on write-protected diskettes. I always (or almost always) write-protect the master diskette before putting it in the disk drive, to insure that nothing happens to my original, anyways. This would also prevent the disk from being infected. +----------------------------------------------+ | Brian Piersel | +----------------------------------------------+ | BITNET: SPBK09@SDNET | | INTERNET: SPBK09%SDNET.BITNET@VM1.NoDak.EDU | +----------------------------------------------+ | IBM = Itty Bitty Machine | +----------------------------------------------+
exspes@gdr.bath.ac.uk (P E Smee) (01/16/90)
In article <0013.9001151235.AA07390@ge.sei.cmu.edu> WHMurray@DOCKMASTER.ARPA wr ites: >Vendors can help by using labelled shrink-wrap. To the extent that >users come to expect such labelling, the re-wrap strategy becomes less >effective and efficient for the retailer. Users can protect themselves >and discourage this risky practice by refusing to deal with retailers >that offer them the right to return. Two points here: The first is (far as I know) unique to the UK. We virtually never SEE shrink-wraps. The reason is that (allegedly to prevent theft) the software shops display only the empty boxes on their shelves. The contents are removed to be stored behind the counter, and are replaced in the box when you buy the software. (Yes, it occasionally causes problems. My copy of Dungeon Master turned out to include a Falcon registration card. Sigh.) For big-selling software (read, popular games) they will probably also have some unopened boxes behind the counter; but for more serious stuff, the opened copy is probably the only one they've got. And, you can't just take your business elsewhere, because they all do this. (Records, prerecorded cassettes, CD's, and videotapes are all also marketed this way.) Second problem is more general, in that you are also thereby more or less guaranteeing that the retailer will not be willing to demo a package to you before you buy it. For a lot of packages, particularly the serious (and expensive) ones, you can't really tell from the manufacturers' puff whether the product will do what you need -- or, indeed, anything useful at all. Again, for popular products this might be eased, but for things with a limited market -- well, the dealer is hardly going to invest in a separate demo copy of something which only sells a copy a month or so. What's really needed is some way that the maker can include, separate from the disk, some form of 'signature' which can be used with a publicly available verification program, so that you could scan the disk with the verifier, and compare the output with the provided signature. Akin to a checksum, but sufficiently complex that any change to the disk would be detected. (There's a thesis topic for the next 10 years' worth of Masters candidates. :-) The problem should be easier than the corresponding ideas for protecting 'user' disks, as there should be no reason for a distribution disk to EVER change once it has left the maker's hands. - -- Paul Smee, Univ of Bristol Comp Centre, Bristol BS8 1TW, Tel +44 272 303132 Smee@bristol.ac.uk :-) (..!uunet!ukc!gdr.bath.ac.uk!exspes if you MUST)
msm@sgi.sgi.com (Michael S. Maiten) (01/17/90)
WHMurray@DOCKMASTER.ARPA writes: > Vendors can help by using labeled shrink-wrap. To the extent that > users come to expect such labeling, the re-wrap strategy becomes less > effective and efficient for the retailer. Much of the discussion of the "shrink wrap" issue is focused on the inability of the purchaser to determine if the disk has ever been used and rewrapped. In my opinion, a solution to this problem is for the software publishers to use disks that are permanently write-protected. (ie; no notch on 5.25" disks and a hole without slider on 3.5" disks). This will not stop a determined terrorist from infecting disks, but it will stop the casual accidental infection of purchased software. > Users can protect themselves > and discourage this risky practice by refusing to deal with retailers > that offer them the right to return. Stores that offer return policies are exactly the ones with whom I do deal, since it is almost impossible to see if the software will meet my needs by reading the box or trying out the store demonstration copy. What they should do is to be more careful when accepting the returned items (check for missing materials, and check for infection of the disks) before returning the person's money. - ------------------------------------------------------------------------------ Michael S. Maiten Internet: msm%ensys@bridge2.esd.3com.com Energetic Systems or: msm%ensys@silvlis.com Telephone: +1 415 964-9746 UUCP: {sun!silvlis,bridge2}!ensys!msm