Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!usc!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: WHMurray@DOCKMASTER.ARPA Newsgroups: comp.virus Subject: Shrink-Wrapped Software Message-ID: <0013.9001151235.AA07390@ge.sei.cmu.edu> Date: 14 Jan 90 23:02:00 GMT Sender: Virus Discussion List Lines: 41 Approved: krvw@sei.cmu.edu >At a meeting yesterday some people made comments that some viruses >have ben found in shrink-wrapped diskettes. This did surprise me as >we have been using a rule of thumb to stick to shrink wrapped software >to help avoid viruses. What comments &/or advice do you have for this >situation? > Thanks, Craig Shrink wrapping is a form of encapsulation that reduces the risk that software will be contaminated and increases the probability that tampering will leave evidence. The vendor of software has an interest in an orderly market place and in the reputation of his product. If you have evidence that the product has not been tampered with since the vendor shipped it, then you may rely, in part upon his interests. Shrink-wrap that is applied by the vendor would help to serve that purpose. However, few original vendors use labelled shrink-wrap and many distributors and retailers can apply shrink wrap. Since much software is poorly labelled, since it is hard to demonstrate, and generally difficult to buy, Many retailers have adopted a "Trial/Return" policy. Under this policy a purchaser is permitted to return software for a full refund within a limited period of time. The retailer re-wraps the software and returns it to the shelf. Most such retailers are simply naive, a few are irresponsible. The risk to the retailer is that the "purchaser" will simply make a copy of the software and return the original media and documentation to the retailer. However, the retailer can measure this risk. The risk to subsequent purchasers of the used package is that the media was contaminated before it was returned. This risk is harder to measure and is not to the person making the decisions. Vendors can help by using labelled shrink-wrap. To the extent that users come to expect such labelling, the re-wrap strategy becomes less effective and efficient for the retailer. Users can protect themselves and discourage this risky practice by refusing to deal with retailers that offer them the right to return. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840