VIRUS-L Digest Tuesday, 16 Jan 1990 Volume 3 : Issue 12 Today's Topics: Re: Shrink-Wrapped Software Some more thoughts on shrink-wrapped software... Re: RE: Shrink wrap...still safe? Protecting software from contaminatation AFD Listserv that has SCANVx.arc (PC) Internet worm writer to go to trial Jan 16th. (Internet) WDEF in Ireland (Mac) Re: Shrink-Wrapped Software Biological analogy source requested VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 15 Jan 90 08:33:19 -0500 From: Brian Piersel Subject: Re: Shrink-Wrapped Software On Sun, 14 Jan 90 18:02:00 -0500 said: >Vendors can help by using labelled shrink-wrap. To the extent that >users come to expect such labelling, the re-wrap strategy becomes less >effective and efficient for the retailer. Users can protect themselves >and discourage this risky practice by refusing to deal with retailers >that offer them the right to return. Another way vendors can help is to sell software on write-protected diskettes. I always (or almost always) write-protect the master diskette before putting it in the disk drive, to insure that nothing happens to my original, anyways. This would also prevent the disk from being infected. +----------------------------------------------+ | Brian Piersel | +----------------------------------------------+ | BITNET: SPBK09@SDNET | | INTERNET: SPBK09%SDNET.BITNET@VM1.NoDak.EDU | +----------------------------------------------+ | IBM = Itty Bitty Machine | +----------------------------------------------+ ------------------------------ Date: Mon, 15 Jan 90 12:00:43 -0500 From: dmg@retina.mitre.org (David Gursky) Subject: Some more thoughts on shrink-wrapped software... What is really most amazing about the problem of a potential vandal infecting a commercial application, and returning it to an unsuspecting vendor is the ease with which the vendor can detect the problem. Consider the following scenario: 1 -- An application is returned to a vendor. 2 -- Proof of purchase is produced, vendor agrees to accept product, but does not yet refund purchase price. 3 -- A second copy of the shrink-wrapped application is removed from the shelf. 4 -- The disk(s) from the returned copy are then byte-by-byte compared against the disk(s) in the shelf copy from step 3. 5 -- If no major changes are found (some users still run the applications straight off the master disk, and some of those applications modify them- selves in some minor fashion), the consumer's money is then (and only then!) refunded. If major problems are found, perhaps only a portion of the purchase price is refunded, or none at all, depending on how the store wishes to actually implement the procedure. Likewise, an office that purchases multiple copies of an application can perform a similar function on incoming shrink-wrapped software. A direct copy (especially when done at a machine that is "clean") should be very effective at uncovering vandalized software. ------------------------------ Date: 15 Jan 90 16:42:17 +0000 From: len@csd4.csd.uwm.edu (Leonard P Levine) Subject: Re: RE: Shrink wrap...still safe? Many vendors are now selling software on un-notched disks. My most recent copy of wordstar, my copy of spinrite and even one shareware product have come to me on disks that cannot be written to except with modified computer hardware. Such software can only be infected at the factory, and the probability of that is becoming increasingly small. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.cs.uwm.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. FAX (414) 229-6958 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------ Date: Mon, 15 Jan 90 12:02:02 -0500 From: Peter Jones Subject: Protecting software from contaminatation On Sun, 14 Jan 90 18:02:00 -0500 WHMurray@DOCKMASTER.ARPA said, in VIRUS-L Digest Monday, 15 Jan 1990 Volume 3 : Issue 11: >Subject: Shrink-Wrapped Software > >Shrink-wrap that is applied by the vendor would help to serve that >purpose. However, few original vendors use labelled shrink-wrap and >many distributors and retailers can apply shrink wrap. If vendors used read-only diskettes, contamination of the distribution diskettes would become almost impossible for casual users. The user would have to tamper with the write-protect switch on his diskette reader to allow alteration of a diskette. Early Apple-IIs are the only machines I know of in which diskette write protection can be overcome by software. Peter Jones MAINT@UQAM (514)-987-3542 "Life's too short to try and fill up every minute of it" :-) ------------------------------ Date: Mon, 15 Jan 90 15:35:00 -0500 From: Subject: AFD Listserv that has SCANVx.arc (PC) HI! I have learned of the AFD feature on listserv. I was wondering if there is a site that has it setup in such a way that i can get SCANVxx.arc as an afd. I've tried rice but the server there only has it as part of the simtel20 archives. (and those you must use special /pdget type commands for) Also, I don't think you can specify wildcards on an afd so how would we get the latest version of scan. I'm sure others would be interested in doing this! Please send a copy of any replies to me direct as I don't subscribe to this list. (too much volume) Thanks! Jeffrey Perry Computer Science Student Northeastern University Boston, ma PERRY@nuhub.northeastern.edu ------------------------------ Date: 16 Jan 90 03:47:00 -0500 From: "Damon Kelley; (RJE)" Subject: Internet worm writer to go to trial Jan 16th. (Internet) I just wanted to inform the readers of this list that Robert T. Morris of Arnold, Maryland is going to trial this January 16, 1990 for unleashing (was it "The Great Internet Worm?") a worm that immobilized a certain computer network in November of 1988. Mr. Morris is a student who was suspended from Cornell University because of his actions. When I read the article that I got the above information from, I was a bit shocked that the jurors were deliberately picked by the U.S. Justice Department lawyers because didn't know *anything* about computers. Would the jurors understand enough of the computer talk thrown between defense and prosecutor to reach a truly informed verdict? My mother and I discussed the issue. I said that the trial would be unbalanced and handled badly because every little techie term would have to be explained over and over again to the jury, slowing down the trial process. Isn't a "jury of his peers" called for here? She said that the trial would be more impartial if the jury is composed of non-tech persons. Comments? Does the Justice Department have a prejudice against computer enthusiasts? Perhaps so. In the article I read, the lawyers excluded persons who owned computers, but included persons whose jobs involved "pushing buttons," such as flight reservation clerks and insurance claim processors. Those lawyers better straighten up. Not all computer enthusiasts practice regularly what Mr. Morris did, nor do they openly encourage the wanton destruction of computer systems "for a kick." Source: _The_Baltimore_Evening_Sun_, January 15, 1990. Section D, top of page 2: "'Illiterates' Judging Computer Genius." The information in the first two paragraphs is selected bits, not direct quotes, so don't bother to flame me. DISCLAIMER: The information above does NOT represent the views of any organization, group, man, woman, beast, insect, microbe, matter, energy, etc. existing in all the planes of reality known/not known! To assume that this information is more than the sputterings of the author is stupidity on your part. Damon (@umbc.bitnet) (@umbc2.umbc.edu) (...@umbc5.umbc.edu [uucp. Guess a path...] ) ------------------------------ Date: 16 Jan 90 10:06:52 +0000 From: Colman Reilly Subject: WDEF in Ireland (Mac) The WDEF virus has been reported in Trinity College, Dublin - I don't have details but the needed anti-viral stuff is available - Thanks to all involved in producing the software. - ------------------------------------------------------------------------------- creilly@hamilton.maths.tcd.ie Colman Reilly All my own work-no one else has any claim or responability for my opinions - ------------------------------------------------------------------------------- ------------------------------ Date: Tue, 16 Jan 90 11:17:59 +0000 From: exspes@gdr.bath.ac.uk (P E Smee) Subject: Re: Shrink-Wrapped Software In article <0013.9001151235.AA07390@ge.sei.cmu.edu> WHMurray@DOCKMASTER.ARPA wr ites: >Vendors can help by using labelled shrink-wrap. To the extent that >users come to expect such labelling, the re-wrap strategy becomes less >effective and efficient for the retailer. Users can protect themselves >and discourage this risky practice by refusing to deal with retailers >that offer them the right to return. Two points here: The first is (far as I know) unique to the UK. We virtually never SEE shrink-wraps. The reason is that (allegedly to prevent theft) the software shops display only the empty boxes on their shelves. The contents are removed to be stored behind the counter, and are replaced in the box when you buy the software. (Yes, it occasionally causes problems. My copy of Dungeon Master turned out to include a Falcon registration card. Sigh.) For big-selling software (read, popular games) they will probably also have some unopened boxes behind the counter; but for more serious stuff, the opened copy is probably the only one they've got. And, you can't just take your business elsewhere, because they all do this. (Records, prerecorded cassettes, CD's, and videotapes are all also marketed this way.) Second problem is more general, in that you are also thereby more or less guaranteeing that the retailer will not be willing to demo a package to you before you buy it. For a lot of packages, particularly the serious (and expensive) ones, you can't really tell from the manufacturers' puff whether the product will do what you need -- or, indeed, anything useful at all. Again, for popular products this might be eased, but for things with a limited market -- well, the dealer is hardly going to invest in a separate demo copy of something which only sells a copy a month or so. What's really needed is some way that the maker can include, separate from the disk, some form of 'signature' which can be used with a publicly available verification program, so that you could scan the disk with the verifier, and compare the output with the provided signature. Akin to a checksum, but sufficiently complex that any change to the disk would be detected. (There's a thesis topic for the next 10 years' worth of Masters candidates. :-) The problem should be easier than the corresponding ideas for protecting 'user' disks, as there should be no reason for a distribution disk to EVER change once it has left the maker's hands. - -- Paul Smee, Univ of Bristol Comp Centre, Bristol BS8 1TW, Tel +44 272 303132 Smee@bristol.ac.uk :-) (..!uunet!ukc!gdr.bath.ac.uk!exspes if you MUST) ------------------------------ Date: 16 Jan 90 15:21:44 +0000 From: alistair@minster.york.ac.uk Subject: Biological analogy source requested I know there has been some discussion in this group of the extent to which the analogy between computer viruses and their biological cousins is tenable, though I have not followed it closely. However, can anyone suggest any references on this topic? Alternatively, can anyone suggest any good references on viruses in general. They should preferably be in well-read journals, (so that they are likely to be in our library, which has no books on the subject). Thanks in anticipation. ------------------------------ End of VIRUS-L Digest *********************